CVE-2022-43021 is a medium-severity SQL injection vulnerability identified in OpenCATS version 0.9.6. OpenCATS is an open-source applicant tracking system used for recruitment management. The vulnerability arises from improper sanitization of the 'entriesPerPage' variable, which is used to control pagination of displayed entries. An attacker with at least low-level privileges (PR:L) can manipulate this parameter to inject malicious SQL code. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The attack vector is network-based (AV:N), requiring no user interaction (UI:N), and the scope is unchanged (S:U). The impact primarily affects confidentiality (C:H), with no direct impact on integrity or availability. Exploiting this vulnerability could allow an attacker to extract sensitive data from the underlying database, such as candidate information, user credentials, or other confidential recruitment data. However, exploitation requires some level of authenticated access, limiting the attack surface to users who can interact with the application. No known public exploits have been reported to date, and no official patches or vendor advisories are currently available. The vulnerability is classified under CWE-89, which corresponds to SQL injection flaws that allow attackers to interfere with the queries an application makes to its database.

For European organizations using OpenCATS, particularly HR departments and recruitment agencies, this vulnerability poses a risk of unauthorized data disclosure. Sensitive personal data of candidates and employees, protected under GDPR, could be exposed, leading to regulatory penalties and reputational damage. The confidentiality breach could also facilitate further attacks, such as identity theft or social engineering. Since the vulnerability requires authenticated access, the risk is higher if internal accounts are compromised or if weak access controls allow unauthorized users to reach the vulnerable functionality. The lack of integrity and availability impact reduces the risk of data manipulation or service disruption, but the exposure of confidential data remains a significant concern. Organizations relying on OpenCATS for recruitment workflows should consider the potential for insider threats or compromised credentials to escalate the impact of this vulnerability.

European organizations should immediately review and restrict access to OpenCATS instances, ensuring that only trusted and authenticated users can access the application. Implement strict input validation and sanitization on the 'entriesPerPage' parameter to prevent SQL injection. If possible, apply web application firewalls (WAFs) with rules targeting SQL injection patterns to provide an additional layer of defense. Conduct thorough code reviews and penetration testing focused on input handling in OpenCATS. Since no official patch is currently available, consider isolating the application within a segmented network zone to limit exposure. Monitor logs for unusual database query patterns or access attempts that could indicate exploitation attempts. Additionally, enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. Backup sensitive data regularly and ensure incident response plans are updated to handle potential data breaches involving recruitment data.