Rukovoditel
by Rukovoditel
Source repositories
CVEs (52)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-11819 | Cri | 0.69 | 9.8 | 0.27 | Apr 16, 2020 | In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution. | ||
| CVE-2022-48175 | Cri | 0.64 | 9.8 | 0.02 | Jan 30, 2023 | Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request. | ||
| CVE-2022-44945 | Cri | 0.64 | 9.8 | 0.01 | Dec 2, 2022 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter. | ||
| CVE-2022-43168 | Cri | 0.64 | 9.8 | 0.01 | Oct 28, 2022 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter. | ||
| CVE-2020-11817 | Cri | 0.64 | 9.8 | 0.02 | Apr 27, 2020 | In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting. | ||
| CVE-2020-11820 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter. | ||
| CVE-2020-11816 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter. | ||
| CVE-2020-11815 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting. | ||
| CVE-2020-11812 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter. | ||
| CVE-2018-20166 | Hig | 0.61 | 8.8 | 0.07 | Jan 2, 2019 | A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in… | ||
| CVE-2022-45020 | Hig | 0.57 | 8.8 | 0.01 | Dec 5, 2022 | Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | ||
| CVE-2022-43288 | Hig | 0.57 | 8.8 | 0.01 | Nov 14, 2022 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php. | ||
| CVE-2020-13589 | Hig | 0.57 | 8.8 | 0.01 | Aug 17, 2021 | An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL… | ||
| CVE-2020-13588 | Hig | 0.57 | 8.8 | 0.01 | Aug 17, 2021 | An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated… | ||
| CVE-2021-30224 | Hig | 0.57 | 8.8 | 0.01 | Apr 29, 2021 | Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials. | ||
| CVE-2020-13592 | Hig | 0.57 | 8.8 | 0.02 | Apr 9, 2021 | An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this… | ||
| CVE-2020-13591 | Hig | 0.57 | 8.8 | 0.02 | Apr 9, 2021 | An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,… | ||
| CVE-2020-13587 | Hig | 0.57 | 8.8 | 0.02 | Apr 9, 2021 | An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,… | ||
| CVE-2020-11818 | Hig | 0.57 | 8.8 | 0.01 | Apr 16, 2020 | In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user's valid token. Thus, an attacker can change the Admin password by using a CSRF attack and escalate his/her privileges. | ||
| CVE-2020-13590 | Hig | 0.47 | 7.2 | 0.01 | Apr 18, 2022 | Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities,… |
- risk 0.69cvss 9.8epss 0.27
In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.
- risk 0.64cvss 9.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter.
- risk 0.64cvss 9.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter.
- risk 0.64cvss 9.8epss 0.02
In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter.
- risk 0.64cvss 9.8epss 0.02
In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter.
- risk 0.61cvss 8.8epss 0.07
A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in…
- risk 0.57cvss 8.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
- risk 0.57cvss 8.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php.
- risk 0.57cvss 8.8epss 0.01
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL…
- risk 0.57cvss 8.8epss 0.01
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated…
- risk 0.57cvss 8.8epss 0.01
Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials.
- risk 0.57cvss 8.8epss 0.02
An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this…
- risk 0.57cvss 8.8epss 0.02
An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…
- risk 0.57cvss 8.8epss 0.02
An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…
- risk 0.57cvss 8.8epss 0.01
In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user's valid token. Thus, an attacker can change the Admin password by using a CSRF attack and escalate his/her privileges.
- risk 0.47cvss 7.2epss 0.01
Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities,…
Page 1 of 3