Lucene search

K
RukovoditelRukovoditel

49 matches found

CVE
CVE
added 2021/07/09 10:15 p.m.77 views

CVE-2020-35985

A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.

5.4CVSS5.2AI score0.05134EPSS
CVE
CVE
added 2021/07/09 10:15 p.m.75 views

CVE-2020-35987

A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.

5.4CVSS5.2AI score0.01614EPSS
CVE
CVE
added 2022/12/05 11:15 p.m.73 views

CVE-2022-45020

Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

8.8CVSS7.7AI score0.00134EPSS
CVE
CVE
added 2020/04/16 7:15 p.m.71 views

CVE-2020-11819

In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.

9.8CVSS9.6AI score0.29397EPSS
CVE
CVE
added 2023/01/30 11:15 p.m.71 views

CVE-2022-48175

Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.

9.8CVSS9.8AI score0.05227EPSS
CVE
CVE
added 2021/08/17 8:15 p.m.70 views

CVE-2020-13588

An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this v...

8.8CVSS8.8AI score0.00719EPSS
CVE
CVE
added 2021/07/09 10:15 p.m.68 views

CVE-2020-35986

A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.

5.4CVSS5.2AI score0.02223EPSS
CVE
CVE
added 2022/12/02 8:15 p.m.67 views

CVE-2022-44947

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into th...

5.4CVSS5.3AI score0.01097EPSS
CVE
CVE
added 2022/12/02 8:15 p.m.66 views

CVE-2022-44945

Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter.

9.8CVSS9.7AI score0.0029EPSS
CVE
CVE
added 2021/07/09 10:15 p.m.64 views

CVE-2020-35984

A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.

5.4CVSS5.2AI score0.01648EPSS
CVE
CVE
added 2022/11/14 3:16 p.m.64 views

CVE-2022-43288

Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php.

8.8CVSS8.9AI score0.00072EPSS
CVE
CVE
added 2022/10/28 5:15 p.m.62 views

CVE-2022-43169

A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add...

5.4CVSS5.1AI score0.06371EPSS
CVE
CVE
added 2021/08/17 8:15 p.m.61 views

CVE-2020-13589

An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL injection. An attacker can m...

8.8CVSS8.8AI score0.00719EPSS
CVE
CVE
added 2022/10/28 5:15 p.m.57 views

CVE-2022-43166

A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Entity"...

5.4CVSS5.1AI score0.06371EPSS
CVE
CVE
added 2021/04/09 6:15 p.m.56 views

CVE-2020-13587

An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done ei...

8.8CVSS8.8AI score0.0333EPSS
CVE
CVE
added 2022/10/28 5:15 p.m.55 views

CVE-2022-43165

A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create".

5.4CVSS5.1AI score0.05356EPSS
CVE
CVE
added 2021/04/09 6:15 p.m.54 views

CVE-2020-13592

An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either wit...

8.8CVSS8.8AI score0.02882EPSS
CVE
CVE
added 2022/10/28 5:15 p.m.54 views

CVE-2022-43167

A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add".

5.4CVSS5.1AI score0.07094EPSS
CVE
CVE
added 2022/10/19 2:15 p.m.54 views

CVE-2022-43185

A stored cross-site scripting (XSS) vulnerability in the Configuration/Holidays module of Rukovoditel v3.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter.

5.4CVSS5.2AI score0.04806EPSS
CVE
CVE
added 2022/12/02 8:15 p.m.54 views

CVE-2022-44950

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name...

5.4CVSS5.3AI score0.01727EPSS
CVE
CVE
added 2022/12/02 8:15 p.m.52 views

CVE-2022-44949

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Shor...

5.4CVSS5.3AI score0.01727EPSS
CVE
CVE
added 2022/12/02 8:15 p.m.52 views

CVE-2022-44951

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Na...

5.4CVSS5.3AI score0.01727EPSS
CVE
CVE
added 2019/02/05 6:29 a.m.51 views

CVE-2019-7400

Rukovoditel before 2.4.1 allows XSS.

6.1CVSS6.2AI score0.0738EPSS
CVE
CVE
added 2022/10/28 5:15 p.m.51 views

CVE-2022-43168

Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter.

9.8CVSS9.7AI score0.00251EPSS
CVE
CVE
added 2022/10/28 5:15 p.m.51 views

CVE-2022-43170

A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking ...

5.4CVSS5.1AI score0.06535EPSS
CVE
CVE
added 2022/12/02 8:15 p.m.50 views

CVE-2022-44948

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field ...

5.4CVSS5.3AI score0.01727EPSS
CVE
CVE
added 2022/12/02 8:15 p.m.50 views

CVE-2022-44952

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking "Ad...

5.4CVSS5.3AI score0.0151EPSS
CVE
CVE
added 2020/04/16 7:15 p.m.48 views

CVE-2020-11812

Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter.

9.8CVSS9.7AI score0.00309EPSS
CVE
CVE
added 2021/04/09 6:15 p.m.48 views

CVE-2020-13591

An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done eit...

8.8CVSS8.8AI score0.02781EPSS
CVE
CVE
added 2022/12/02 8:15 p.m.46 views

CVE-2022-44946

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title fi...

5.4CVSS5.3AI score0.01097EPSS
CVE
CVE
added 2020/04/16 7:15 p.m.45 views

CVE-2020-11820

Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter.

9.8CVSS9.7AI score0.00642EPSS
CVE
CVE
added 2022/12/02 8:15 p.m.45 views

CVE-2022-44944

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ...

5.4CVSS5.3AI score0.01097EPSS
CVE
CVE
added 2020/04/16 7:15 p.m.43 views

CVE-2020-11818

In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user's valid token. Thus, an attacker can change the Admin password by using a CSRF attack and escalate his/her privileges.

8.8CVSS8.8AI score0.00053EPSS
CVE
CVE
added 2022/10/28 5:15 p.m.43 views

CVE-2022-43164

A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add".

5.4CVSS5.1AI score0.07099EPSS
CVE
CVE
added 2019/01/02 6:29 p.m.42 views

CVE-2018-20166

A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in ".php" with mixed case...

8.8CVSS8.6AI score0.03487EPSS
CVE
CVE
added 2019/05/07 7:29 p.m.42 views

CVE-2019-7541

Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring.

6.1CVSS5.9AI score0.0266EPSS
CVE
CVE
added 2020/04/16 7:15 p.m.42 views

CVE-2020-11815

In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting.

9.8CVSS9.5AI score0.00878EPSS
CVE
CVE
added 2020/04/16 7:15 p.m.41 views

CVE-2020-11813

In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous.

5.4CVSS5.1AI score0.00281EPSS
CVE
CVE
added 2024/05/04 8:15 p.m.41 views

CVE-2024-34468

Rukovoditel before 3.5.3 allows XSS via user_photo to My Page.

6.1CVSS5.8AI score0.00346EPSS
CVE
CVE
added 2024/05/04 8:15 p.m.41 views

CVE-2024-34469

Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save.

7.1CVSS5.8AI score0.00863EPSS
CVE
CVE
added 2020/04/16 7:15 p.m.40 views

CVE-2020-11816

Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter.

9.8CVSS9.7AI score0.00642EPSS
CVE
CVE
added 2022/04/18 5:15 p.m.38 views

CVE-2020-13590

Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities, this can be done eit...

7.2CVSS7.8AI score0.00918EPSS
CVE
CVE
added 2021/08/26 6:15 p.m.38 views

CVE-2020-18469

Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to /rukov...

5.4CVSS5.1AI score0.00114EPSS
CVE
CVE
added 2020/04/27 3:15 p.m.37 views

CVE-2020-11821

In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them.

5.3CVSS5.2AI score0.00674EPSS
CVE
CVE
added 2020/09/14 12:15 p.m.37 views

CVE-2020-21732

Rukovoditel Project Management app 2.6 is affected by: Cross Site Scripting (XSS). An attacker can add JavaScript code to the filename.

6.1CVSS6.2AI score0.0045EPSS
CVE
CVE
added 2020/04/27 3:15 p.m.34 views

CVE-2020-11817

In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting.

9.8CVSS9.5AI score0.00873EPSS
CVE
CVE
added 2021/04/29 3:15 p.m.34 views

CVE-2021-30224

Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials.

8.8CVSS8.7AI score0.00113EPSS
CVE
CVE
added 2020/04/27 3:15 p.m.33 views

CVE-2020-11822

In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the application structure --> user access groups page. Thus, an attacker can inject malicious script to steal all users' valuable data.

6.1CVSS5.9AI score0.00288EPSS
CVE
CVE
added 2021/08/26 6:15 p.m.29 views

CVE-2020-18470

Stored cross-site scripting (XSS) vulnerability in the Name of application field found in the General Configuration page in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to rukovoditel_2.4.1/in...

5.4CVSS5.1AI score0.00135EPSS