Filtered by vendor Rukovoditel
Subscriptions
Total
47 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-43170 | 1 Rukovoditel | 1 Rukovoditel | 2022-11-01 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add info block". | ||||
| CVE-2022-43166 | 1 Rukovoditel | 1 Rukovoditel | 2022-10-28 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Entity". | ||||
| CVE-2022-43165 | 1 Rukovoditel | 1 Rukovoditel | 2022-10-28 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create". | ||||
| CVE-2022-43164 | 1 Rukovoditel | 1 Rukovoditel | 2022-10-28 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add". | ||||
| CVE-2022-43185 | 1 Rukovoditel | 1 Rukovoditel | 2022-10-20 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Configuration/Holidays module of Rukovoditel v3.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter. | ||||
| CVE-2020-13589 | 1 Rukovoditel | 1 Rukovoditel | 2022-10-06 | 8.8 High |
| An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. | ||||
| CVE-2020-13588 | 1 Rukovoditel | 1 Rukovoditel | 2022-10-06 | 8.8 High |
| An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. | ||||
| CVE-2020-13590 | 1 Rukovoditel | 1 Rukovoditel | 2022-04-26 | 7.2 High |
| Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities, this can be done either with administrator credentials or through cross-site request forgery. | ||||
| CVE-2020-18469 | 1 Rukovoditel | 1 Rukovoditel | 2021-08-27 | 5.4 Medium |
| Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to /rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application. | ||||
| CVE-2020-18470 | 1 Rukovoditel | 1 Rukovoditel | 2021-08-27 | 5.4 Medium |
| Stored cross-site scripting (XSS) vulnerability in the Name of application field found in the General Configuration page in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to rukovoditel_2.4.1/install/index.php. | ||||
| CVE-2020-11821 | 1 Rukovoditel | 1 Rukovoditel | 2021-07-21 | 5.3 Medium |
| In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them. | ||||
| CVE-2020-11819 | 1 Rukovoditel | 1 Rukovoditel | 2021-07-21 | 9.8 Critical |
| In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution. | ||||
| CVE-2020-35985 | 1 Rukovoditel | 1 Rukovoditel | 2021-07-13 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||||
| CVE-2020-35986 | 1 Rukovoditel | 1 Rukovoditel | 2021-07-13 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||||
| CVE-2020-35987 | 1 Rukovoditel | 1 Rukovoditel | 2021-07-13 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||||
| CVE-2020-35984 | 1 Rukovoditel | 1 Rukovoditel | 2021-07-13 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. | ||||
| CVE-2021-30224 | 1 Rukovoditel | 1 Rukovoditel | 2021-05-03 | 8.8 High |
| Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials. | ||||
| CVE-2020-11817 | 1 Rukovoditel | 1 Rukovoditel | 2020-05-05 | 9.8 Critical |
| In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting. | ||||
| CVE-2020-11822 | 1 Rukovoditel | 1 Rukovoditel | 2020-05-04 | 6.1 Medium |
| In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the application structure --> user access groups page. Thus, an attacker can inject malicious script to steal all users' valuable data. | ||||
| CVE-2020-11815 | 1 Rukovoditel | 1 Rukovoditel | 2020-04-23 | 9.8 Critical |
| In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting. | ||||