VYPR
Vendor

Rukovoditel

Products
3
CVEs
76
Across products
80
Status
Private

Products

3

Recent CVEs

76
View all 76 CVEs →
  • CVE-2020-11819CriApr 16, 2020
    risk 0.69cvss 9.8epss 0.27

    In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.

  • CVE-2022-48175CriJan 30, 2023
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.

  • CVE-2022-44945CriDec 2, 2022
    risk 0.64cvss 9.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter.

  • CVE-2022-43168CriOct 28, 2022
    risk 0.64cvss 9.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter.

  • CVE-2020-11817CriApr 27, 2020
    risk 0.64cvss 9.8epss 0.02

    In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting.

  • CVE-2020-11820CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter.

  • CVE-2020-11816CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter.

  • CVE-2020-11815CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting.

  • CVE-2020-11812CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter.

  • CVE-2018-20166HigJan 2, 2019
    risk 0.61cvss 8.8epss 0.07

    A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in…

  • CVE-2026-31845CriApr 11, 2026
    risk 0.60cvss 9.3epss 0.01

    A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response…

  • CVE-2025-5993CriSep 8, 2025
    risk 0.60cvss epss 0.01

    ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit vulnerable parameter fileName and construct payloads that allow to download any file accessible by the the web server process.

  • CVE-2022-45020HigDec 5, 2022
    risk 0.57cvss 8.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

  • CVE-2022-43288HigNov 14, 2022
    risk 0.57cvss 8.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php.

  • CVE-2020-13589HigAug 17, 2021
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL…

  • CVE-2020-13588HigAug 17, 2021
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated…

  • CVE-2021-30224HigApr 29, 2021
    risk 0.57cvss 8.8epss 0.01

    Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials.

  • CVE-2020-13592HigApr 9, 2021
    risk 0.57cvss 8.8epss 0.02

    An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this…

  • CVE-2020-13591HigApr 9, 2021
    risk 0.57cvss 8.8epss 0.02

    An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…

  • CVE-2020-13587HigApr 9, 2021
    risk 0.57cvss 8.8epss 0.02

    An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…