VYPR

Rukovoditel

by Rukovoditel

Source repositories

CVEs (52)

  • CVE-2020-11819CriApr 16, 2020
    risk 0.69cvss 9.8epss 0.27

    In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.

  • CVE-2022-48175CriJan 30, 2023
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.

  • CVE-2022-44945CriDec 2, 2022
    risk 0.64cvss 9.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter.

  • CVE-2022-43168CriOct 28, 2022
    risk 0.64cvss 9.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter.

  • CVE-2020-11817CriApr 27, 2020
    risk 0.64cvss 9.8epss 0.02

    In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting.

  • CVE-2020-11820CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter.

  • CVE-2020-11816CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter.

  • CVE-2020-11815CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting.

  • CVE-2020-11812CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter.

  • CVE-2018-20166HigJan 2, 2019
    risk 0.61cvss 8.8epss 0.07

    A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in…

  • CVE-2022-45020HigDec 5, 2022
    risk 0.57cvss 8.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

  • CVE-2022-43288HigNov 14, 2022
    risk 0.57cvss 8.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php.

  • CVE-2020-13589HigAug 17, 2021
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL…

  • CVE-2020-13588HigAug 17, 2021
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated…

  • CVE-2021-30224HigApr 29, 2021
    risk 0.57cvss 8.8epss 0.01

    Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials.

  • CVE-2020-13592HigApr 9, 2021
    risk 0.57cvss 8.8epss 0.02

    An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this…

  • CVE-2020-13591HigApr 9, 2021
    risk 0.57cvss 8.8epss 0.02

    An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…

  • CVE-2020-13587HigApr 9, 2021
    risk 0.57cvss 8.8epss 0.02

    An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…

  • CVE-2020-11818HigApr 16, 2020
    risk 0.57cvss 8.8epss 0.01

    In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user's valid token. Thus, an attacker can change the Admin password by using a CSRF attack and escalate his/her privileges.

  • CVE-2020-13590HigApr 18, 2022
    risk 0.47cvss 7.2epss 0.01

    Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities,…

Page 1 of 3