Vendor CVEs
Rukovoditel
All CVEs
76 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-11819 | Cri | 0.69 | 9.8 | 0.27 | Apr 16, 2020 | In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution. | ||
| CVE-2022-48175 | Cri | 0.64 | 9.8 | 0.02 | Jan 30, 2023 | Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request. | ||
| CVE-2022-44945 | Cri | 0.64 | 9.8 | 0.01 | Dec 2, 2022 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter. | ||
| CVE-2022-43168 | Cri | 0.64 | 9.8 | 0.01 | Oct 28, 2022 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter. | ||
| CVE-2020-11817 | Cri | 0.64 | 9.8 | 0.02 | Apr 27, 2020 | In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting. | ||
| CVE-2020-11820 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter. | ||
| CVE-2020-11816 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter. | ||
| CVE-2020-11815 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting. | ||
| CVE-2020-11812 | Cri | 0.64 | 9.8 | 0.02 | Apr 16, 2020 | Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter. | ||
| CVE-2018-20166 | Hig | 0.61 | 8.8 | 0.07 | Jan 2, 2019 | A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in… | ||
| CVE-2026-31845 | Cri | 0.60 | 9.3 | 0.01 | Apr 11, 2026 | A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response… | ||
| CVE-2025-5993 | Cri | 0.60 | — | 0.01 | Sep 8, 2025 | ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit vulnerable parameter fileName and construct payloads that allow to download any file accessible by the the web server process. | ||
| CVE-2022-45020 | Hig | 0.57 | 8.8 | 0.01 | Dec 5, 2022 | Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | ||
| CVE-2022-43288 | Hig | 0.57 | 8.8 | 0.01 | Nov 14, 2022 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php. | ||
| CVE-2020-13589 | Hig | 0.57 | 8.8 | 0.01 | Aug 17, 2021 | An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL… | ||
| CVE-2020-13588 | Hig | 0.57 | 8.8 | 0.01 | Aug 17, 2021 | An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated… | ||
| CVE-2021-30224 | Hig | 0.57 | 8.8 | 0.01 | Apr 29, 2021 | Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials. | ||
| CVE-2020-13592 | Hig | 0.57 | 8.8 | 0.02 | Apr 9, 2021 | An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this… | ||
| CVE-2020-13591 | Hig | 0.57 | 8.8 | 0.02 | Apr 9, 2021 | An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,… | ||
| CVE-2020-13587 | Hig | 0.57 | 8.8 | 0.02 | Apr 9, 2021 | An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,… | ||
| CVE-2020-11818 | Hig | 0.57 | 8.8 | 0.01 | Apr 16, 2020 | In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user's valid token. Thus, an attacker can change the Admin password by using a CSRF attack and escalate his/her privileges. | ||
| CVE-2024-40530 | Hig | 0.49 | 7.5 | 0.00 | Aug 5, 2024 | A vulnerability in Pantera CRM versions 401.152 and 402.072 allows unauthorized attackers to bypass IP-based access controls by manipulating the X-Forwarded-For header. | ||
| CVE-2025-14189 | Hig | 0.47 | 7.3 | 0.00 | Dec 7, 2025 | A vulnerability was detected in Chanjet CRM up to 20251121. Affected is an unknown function of the file /tools/jxf_dump_table_demo.php. The manipulation of the argument gblOrgID results in sql injection. The attack may be performed from remote. The exploit is now public and may… | ||
| CVE-2025-13788 | Hig | 0.47 | 7.3 | 0.00 | Nov 30, 2025 | A vulnerability has been found in Chanjet CRM up to 20251106. The impacted element is an unknown function of the file /tools/upgradeattribute.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be initiated remotely. The exploit has been… | ||
| CVE-2025-60375 | Hig | 0.47 | 7.3 | 0.00 | Oct 9, 2025 | The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in the login request, an attacker can gain unauthorized access to user accounts,… | ||
| CVE-2025-7915 | Hig | 0.47 | 7.3 | 0.00 | Jul 21, 2025 | A vulnerability was found in Chanjet CRM 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /mail/mailinactive.php of the component Login Page. The manipulation leads to sql injection. The attack may be launched remotely. The exploit… | ||
| CVE-2025-7801 | Hig | 0.47 | 7.3 | 0.00 | Jul 18, 2025 | A vulnerability has been found in BossSoft CRM 6.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /crm/module/HNDCBas_customPrmSearchDtl.jsp. The manipulation of the argument cstid leads to sql injection. The attack can be… | ||
| CVE-2025-6132 | Hig | 0.47 | 7.3 | 0.00 | Jun 16, 2025 | A vulnerability has been found in Chanjet CRM 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /sysconfig/departmentsetting.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be launched… | ||
| CVE-2020-13590 | Hig | 0.47 | 7.2 | 0.01 | Apr 18, 2022 | Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities,… | ||
| CVE-2019-7541 | Med | 0.43 | 6.1 | 0.03 | May 7, 2019 | Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring. | ||
| CVE-2019-7400 | Med | 0.43 | 6.1 | 0.06 | Feb 5, 2019 | Rukovoditel before 2.4.1 allows XSS. | ||
| CVE-2020-21732 | Med | 0.40 | 6.1 | 0.01 | Sep 14, 2020 | Rukovoditel Project Management app 2.6 is affected by: Cross Site Scripting (XSS). An attacker can add JavaScript code to the filename. | ||
| CVE-2020-11822 | Med | 0.40 | 6.1 | 0.01 | Apr 27, 2020 | In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the application structure --> user access groups page. Thus, an attacker can inject malicious script to steal all users' valuable data. | ||
| CVE-2022-44952 | Med | 0.35 | 5.4 | 0.01 | Dec 2, 2022 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text… | ||
| CVE-2022-44951 | Med | 0.35 | 5.4 | 0.01 | Dec 2, 2022 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload… | ||
| CVE-2022-44950 | Med | 0.35 | 5.4 | 0.01 | Dec 2, 2022 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload… | ||
| CVE-2022-44949 | Med | 0.35 | 5.4 | 0.01 | Dec 2, 2022 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload… | ||
| CVE-2022-44948 | Med | 0.35 | 5.4 | 0.01 | Dec 2, 2022 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected… | ||
| CVE-2022-44947 | Med | 0.35 | 5.4 | 0.01 | Dec 2, 2022 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted… | ||
| CVE-2022-44946 | Med | 0.35 | 5.4 | 0.01 | Dec 2, 2022 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload… | ||
| CVE-2022-44944 | Med | 0.35 | 5.4 | 0.01 | Dec 2, 2022 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted… | ||
| CVE-2022-43170 | Med | 0.35 | 5.4 | 0.01 | Oct 28, 2022 | A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title… | ||
| CVE-2022-43169 | Med | 0.35 | 5.4 | 0.01 | Oct 28, 2022 | A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter… | ||
| CVE-2022-43167 | Med | 0.35 | 5.4 | 0.01 | Oct 28, 2022 | A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after… | ||
| CVE-2022-43166 | Med | 0.35 | 5.4 | 0.01 | Oct 28, 2022 | A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after… | ||
| CVE-2022-43165 | Med | 0.35 | 5.4 | 0.01 | Oct 28, 2022 | A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after… | ||
| CVE-2022-43164 | Med | 0.35 | 5.4 | 0.01 | Oct 28, 2022 | A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after… | ||
| CVE-2022-43185 | Med | 0.35 | 5.4 | 0.01 | Oct 19, 2022 | A stored cross-site scripting (XSS) vulnerability in the Configuration/Holidays module of Rukovoditel v3.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter. | ||
| CVE-2020-18470 | Med | 0.35 | 5.4 | 0.01 | Aug 26, 2021 | Stored cross-site scripting (XSS) vulnerability in the Name of application field found in the General Configuration page in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to… | ||
| CVE-2020-18469 | Med | 0.35 | 5.4 | 0.01 | Aug 26, 2021 | Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST… |
- risk 0.69cvss 9.8epss 0.27
In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.
- risk 0.64cvss 9.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter.
- risk 0.64cvss 9.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter.
- risk 0.64cvss 9.8epss 0.02
In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter.
- risk 0.64cvss 9.8epss 0.02
In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting.
- risk 0.64cvss 9.8epss 0.02
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter.
- risk 0.61cvss 8.8epss 0.07
A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in…
- risk 0.60cvss 9.3epss 0.01
A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response…
- risk 0.60cvss —epss 0.01
ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit vulnerable parameter fileName and construct payloads that allow to download any file accessible by the the web server process.
- risk 0.57cvss 8.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.
- risk 0.57cvss 8.8epss 0.01
Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php.
- risk 0.57cvss 8.8epss 0.01
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL…
- risk 0.57cvss 8.8epss 0.01
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated…
- risk 0.57cvss 8.8epss 0.01
Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials.
- risk 0.57cvss 8.8epss 0.02
An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this…
- risk 0.57cvss 8.8epss 0.02
An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…
- risk 0.57cvss 8.8epss 0.02
An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…
- risk 0.57cvss 8.8epss 0.01
In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user's valid token. Thus, an attacker can change the Admin password by using a CSRF attack and escalate his/her privileges.
- risk 0.49cvss 7.5epss 0.00
A vulnerability in Pantera CRM versions 401.152 and 402.072 allows unauthorized attackers to bypass IP-based access controls by manipulating the X-Forwarded-For header.
- risk 0.47cvss 7.3epss 0.00
A vulnerability was detected in Chanjet CRM up to 20251121. Affected is an unknown function of the file /tools/jxf_dump_table_demo.php. The manipulation of the argument gblOrgID results in sql injection. The attack may be performed from remote. The exploit is now public and may…
- risk 0.47cvss 7.3epss 0.00
A vulnerability has been found in Chanjet CRM up to 20251106. The impacted element is an unknown function of the file /tools/upgradeattribute.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be initiated remotely. The exploit has been…
- risk 0.47cvss 7.3epss 0.00
The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in the login request, an attacker can gain unauthorized access to user accounts,…
- risk 0.47cvss 7.3epss 0.00
A vulnerability was found in Chanjet CRM 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /mail/mailinactive.php of the component Login Page. The manipulation leads to sql injection. The attack may be launched remotely. The exploit…
- risk 0.47cvss 7.3epss 0.00
A vulnerability has been found in BossSoft CRM 6.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /crm/module/HNDCBas_customPrmSearchDtl.jsp. The manipulation of the argument cstid leads to sql injection. The attack can be…
- risk 0.47cvss 7.3epss 0.00
A vulnerability has been found in Chanjet CRM 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /sysconfig/departmentsetting.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be launched…
- risk 0.47cvss 7.2epss 0.01
Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities,…
- risk 0.43cvss 6.1epss 0.03
Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring.
- risk 0.43cvss 6.1epss 0.06
Rukovoditel before 2.4.1 allows XSS.
- risk 0.40cvss 6.1epss 0.01
Rukovoditel Project Management app 2.6 is affected by: Cross Site Scripting (XSS). An attacker can add JavaScript code to the filename.
- risk 0.40cvss 6.1epss 0.01
In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the application structure --> user access groups page. Thus, an attacker can inject malicious script to steal all users' valuable data.
- risk 0.35cvss 5.4epss 0.01
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text…
- risk 0.35cvss 5.4epss 0.01
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload…
- risk 0.35cvss 5.4epss 0.01
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload…
- risk 0.35cvss 5.4epss 0.01
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload…
- risk 0.35cvss 5.4epss 0.01
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected…
- risk 0.35cvss 5.4epss 0.01
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted…
- risk 0.35cvss 5.4epss 0.01
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload…
- risk 0.35cvss 5.4epss 0.01
Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted…
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title…
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter…
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after…
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after…
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after…
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after…
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability in the Configuration/Holidays module of Rukovoditel v3.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter.
- risk 0.35cvss 5.4epss 0.01
Stored cross-site scripting (XSS) vulnerability in the Name of application field found in the General Configuration page in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to…
- risk 0.35cvss 5.4epss 0.01
Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST…
Page 1 of 2