Blind SQL Injection in OpenCATS 0.9.7.4 Risks Candidate Data and Credential Leakage
What Happened — A proof‑of‑concept exploit released on Exploit‑DB (EDB‑ID 52579) demonstrates a blind SQL injection in the ajax.php endpoint of OpenCATS 0.9.7.4. The vulnerability allows an attacker to enumerate the underlying MariaDB database, extract version information, list user accounts, and retrieve password hashes.
Why It Matters for TPRM —
- Candidate personal data (résumés, contact details) can be harvested without authentication.
- Compromised user credentials enable lateral movement into other corporate systems.
- Many staffing agencies and HR departments rely on OpenCATS as a third‑party recruiting platform.
Who Is Affected — Professional services firms, staffing agencies, and any organization that has deployed OpenCATS ≤ 0.9.7.4 as an applicant‑tracking system (ATS).
Recommended Actions —
- Verify the OpenCATS version in use; upgrade to a patched release or apply immediate input‑validation mitigations.
- Conduct targeted penetration testing of the ATS deployment to confirm remediation.
- Rotate any credentials that may have been exposed and enforce strong password policies.
- Enable database query logging and monitor for anomalous
SLEEP‑based requests.
Technical Notes — The exploit abuses a blind time‑based SQL injection (IF(condition, SLEEP(1.5),0)) in the ajax.php endpoint, requiring no authentication. No CVE has been assigned (GHSA‑8mc8‑5gw6‑c7w4). Affected data includes user tables (user_name, access_level, password hashes) and can reveal the full database schema. Source: Exploit‑DB 52579