Rukovoditel
Products
3- 52 CVEs
- 24 CVEs
- 4 CVEs
Recent CVEs
76| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-11819 | Cri | 0.69 | 9.8 | 0.27 | Apr 16, 2020 | In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution. | ||
| CVE-2022-48175 | Cri | 0.64 | 9.8 | 0.02 | Jan 30, 2023 | Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request. | ||
| CVE-2022-44945 | Cri | 0.64 | 9.8 | 0.01 | Dec 2, 2022 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter. | ||
| CVE-2022-43168 | Cri | 0.64 | 9.8 | 0.01 | Oct 28, 2022 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter. | ||
| CVE-2020-11817 | Cri | 0.64 | 9.8 | 0.02 | Apr 27, 2020 | In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting. | ||
| CVE-2020-11820 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter. | ||
| CVE-2020-11816 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter. | ||
| CVE-2020-11815 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting. | ||
| CVE-2020-11812 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter. | ||
| CVE-2018-20166 | Hig | 0.61 | 8.8 | 0.07 | Jan 2, 2019 | A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in… | ||
| CVE-2026-31845 | Cri | 0.60 | 9.3 | 0.01 | Apr 11, 2026 | A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response… | ||
| CVE-2025-5993 | Cri | 0.60 | — | 0.01 | Sep 8, 2025 | ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit vulnerable parameter fileName and construct payloads that allow to download any file accessible by the the web server process. | ||
| CVE-2022-45020 | Hig | 0.57 | 8.8 | 0.01 | Dec 5, 2022 | Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | ||
| CVE-2022-43288 | Hig | 0.57 | 8.8 | 0.01 | Nov 14, 2022 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php. | ||
| CVE-2020-13589 | Hig | 0.57 | 8.8 | 0.01 | Aug 17, 2021 | An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL… | ||
| CVE-2020-13588 | Hig | 0.57 | 8.8 | 0.01 | Aug 17, 2021 | An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated… | ||
| CVE-2021-30224 | Hig | 0.57 | 8.8 | 0.01 | Apr 29, 2021 | Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials. | ||
| CVE-2020-13592 | Hig | 0.57 | 8.8 | 0.02 | Apr 9, 2021 | An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this… | ||
| CVE-2020-13591 | Hig | 0.57 | 8.8 | 0.02 | Apr 9, 2021 | An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,… | ||
| CVE-2020-13587 | Hig | 0.57 | 8.8 | 0.02 | Apr 9, 2021 | An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,… |
- risk 0.69cvss 9.8epss 0.27
In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.
- risk 0.64cvss 9.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter.
- risk 0.64cvss 9.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter.
- risk 0.64cvss 9.8epss 0.02
In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter.
- risk 0.64cvss 9.8epss 0.02
In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter.
- risk 0.61cvss 8.8epss 0.07
A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in…
- risk 0.60cvss 9.3epss 0.01
A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response…
- risk 0.60cvss —epss 0.01
ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit vulnerable parameter fileName and construct payloads that allow to download any file accessible by the the web server process.
- risk 0.57cvss 8.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
- risk 0.57cvss 8.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php.
- risk 0.57cvss 8.8epss 0.01
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL…
- risk 0.57cvss 8.8epss 0.01
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated…
- risk 0.57cvss 8.8epss 0.01
Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials.
- risk 0.57cvss 8.8epss 0.02
An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this…
- risk 0.57cvss 8.8epss 0.02
An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…
- risk 0.57cvss 8.8epss 0.02
An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…