6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.7%
An exploitable SQL injection vulnerability exists in the ‘‘access_rules/rules_form’ page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
Rukovoditel Project Management App 2.7.2
<https://www.rukovoditel.net/>
5.4 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Rukovoditel is an open-source project management tool and CRM tool design to support project managers in complex tasks.
The entities_id
parameter in access_rules/rules_form
page is vulnerable to authenticated SQL injection. The following request would trigger the vulnerability:
POST /crm/index.php?module=access_rules/rules_form&fields_id=1&entities_id=1<SQLINJECTION> HTTP/1.1
Host: [IP]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://[IP]
DNT: 1
Connection: close
Referer: http://[IP]/crm/index.php?module=entities/forms&entities_id=24
Cookie: cookie_test=please_accept_for_session; sid=84edp91galu92kc98ja9r4uhto; PHPSESSID=hru4oem2h86lj609i2acmvrnup
Content-Type: application/x-www-form-urlencoded
Content-Length: 173
heading_field_id=1&selected_fields=1&field_type=fieldtype_input&id=©_selected=1©_to_entities_id=1©_to_form_tabs_id=1&fields_in_listing[name]=1&name=1&fields_id=1
The above SQL injection exists in the access_rules/rules_form
page due to lack of filtering applied on specific parameter. At line 78 of the source we can see that an unsanitized entities_id
is used as part of select
query.
78 $fields_query = db_query(“select f.*, t.name as tab_name from app_fields f, app_forms_tabs t where f.type not in (“ . fields_types::get_reserverd_types_list() . “) and f.entities_id=’” . $_GET[‘entities_id’] . “’ and f.forms_tabs_id=t.id order b y t.sort_order, t.name, f.sort_order, f.name”);
79 while($fields = db_fetch_array($fields_query))
80 {
81 $choices[$fields['id']] = $fields['name'];
82 }
83 ?>
An attacker either needs administrator privileges or they could trigger this vulnerability through cross-site request forgery.
2020-11-24 - Vendor Disclosure
2021-02-09 - 60+ day follow up
2021-02-10 - Vendor advises issue is not a security vulnerability
2021-02-23 - Talos retested and reconfirmed on new version 2.8.2; follow up email issued to vendor
2021-03-03 - 3rd follow up and final 90 day notice
2021-04-08 - Public Release
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
69.7%