Rukovoditel
by Rukovoditel
Source repositories
CVEs (52)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-18469 | Med | 0.35 | 5.4 | 0.01 | Aug 26, 2021 | Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST… | ||
| CVE-2020-35987 | Med | 0.35 | 5.4 | 0.01 | Jul 9, 2021 | A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||
| CVE-2020-35986 | Med | 0.35 | 5.4 | 0.01 | Jul 9, 2021 | A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||
| CVE-2020-35985 | Med | 0.35 | 5.4 | 0.01 | Jul 9, 2021 | A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||
| CVE-2020-35984 | Med | 0.35 | 5.4 | 0.01 | Jul 9, 2021 | A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. | ||
| CVE-2020-11821 | Med | 0.35 | 5.3 | 0.01 | Apr 27, 2020 | In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them. | ||
| CVE-2020-11813 | Med | 0.35 | 5.4 | 0.01 | Apr 16, 2020 | In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous. | ||
| CVE-2023-53913 | 0.00 | — | 0.01 | Dec 17, 2025 | Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file. | |||
| CVE-2023-53898 | 0.00 | — | 0.00 | Dec 16, 2025 | Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers. | |||
| CVE-2023-53897 | 0.00 | — | 0.00 | Dec 16, 2025 | Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers. | |||
| CVE-2024-34468 | 0.00 | — | 0.00 | May 4, 2024 | Rukovoditel before 3.5.3 allows XSS via user_photo to My Page. | |||
| CVE-2024-34469 | 0.00 | — | 0.01 | May 4, 2024 | Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save. |
- risk 0.35cvss 5.4epss 0.01
Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST…
- risk 0.35cvss 5.4epss 0.01
A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.
- risk 0.35cvss 5.4epss 0.01
A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.
- risk 0.35cvss 5.4epss 0.01
A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.
- risk 0.35cvss 5.4epss 0.01
A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.
- risk 0.35cvss 5.3epss 0.01
In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them.
- risk 0.35cvss 5.4epss 0.01
In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous.
- CVE-2023-53913Dec 17, 2025risk 0.00cvss —epss 0.01
Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.
- CVE-2023-53898Dec 16, 2025risk 0.00cvss —epss 0.00
Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers.
- CVE-2023-53897Dec 16, 2025risk 0.00cvss —epss 0.00
Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers.
- CVE-2024-34468May 4, 2024risk 0.00cvss —epss 0.00
Rukovoditel before 3.5.3 allows XSS via user_photo to My Page.
- CVE-2024-34469May 4, 2024risk 0.00cvss —epss 0.01
Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save.
Page 3 of 3