VYPR

Rukovoditel

by Rukovoditel

Source repositories

CVEs (52)

  • CVE-2020-18469MedAug 26, 2021
    risk 0.35cvss 5.4epss 0.01

    Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST…

  • CVE-2020-35987MedJul 9, 2021
    risk 0.35cvss 5.4epss 0.01

    A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.

  • CVE-2020-35986MedJul 9, 2021
    risk 0.35cvss 5.4epss 0.01

    A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.

  • CVE-2020-35985MedJul 9, 2021
    risk 0.35cvss 5.4epss 0.01

    A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.

  • CVE-2020-35984MedJul 9, 2021
    risk 0.35cvss 5.4epss 0.01

    A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter.

  • CVE-2020-11821MedApr 27, 2020
    risk 0.35cvss 5.3epss 0.01

    In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them.

  • CVE-2020-11813MedApr 16, 2020
    risk 0.35cvss 5.4epss 0.01

    In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous.

  • CVE-2023-53913Dec 17, 2025
    risk 0.00cvss epss 0.01

    Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file.

  • CVE-2023-53898Dec 16, 2025
    risk 0.00cvss epss 0.00

    Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers.

  • CVE-2023-53897Dec 16, 2025
    risk 0.00cvss epss 0.00

    Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers.

  • CVE-2024-34468May 4, 2024
    risk 0.00cvss epss 0.00

    Rukovoditel before 3.5.3 allows XSS via user_photo to My Page.

  • CVE-2024-34469May 4, 2024
    risk 0.00cvss epss 0.01

    Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save.

Page 3 of 3