Overview

The original version of 8440 contained a potential security issue, this required that an updated version of 8440 be released.


Issue information

The issue was that SnapHire was not correctly escaping JavaScript entered into additional information questions asked of job seekers. Additional information questions introduce a free form text box when the user picks certain options. For example, if a job seeker selects "Yes" to a criminal convictions question, a box may appear asking for more details.  


A malicious person could potentially enter JavaScript into this text box and it would trigger whenever the answer is rendered on a webpage (be it either at the account profile details page on the careers site for job seekers, or the job seeker profile page on the recruiter site). 


Fix information

The fix that was created ensured that SnapHire correctly escaped JavaScript entered into these fields, meaning that no malicious actions will be triggered by viewing the code if any is entered.

  • This change is not a "patch", but an official part of SnapHire version 8440. 
  • Please note that the Version 8440 Release Information has not been updated to reflect this change.
  • Due to the nature of this exploit, we did not share this update information with clients until all sites had been upgraded to this updated version of 8440.   Please be assured that your site has been updated to ensure that you are not exposed to the potential security issue.