VYPR

Vendor CVEs

Rukovoditel

All CVEs

76 total · sorted by risk
  • CVE-2020-11819CriApr 16, 2020
    risk 0.69cvss 9.8epss 0.27

    In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution.

  • CVE-2022-48175CriJan 30, 2023
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request.

  • CVE-2022-44945CriDec 2, 2022
    risk 0.64cvss 9.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter.

  • CVE-2022-43168CriOct 28, 2022
    risk 0.64cvss 9.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter.

  • CVE-2020-11817CriApr 27, 2020
    risk 0.64cvss 9.8epss 0.02

    In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting.

  • CVE-2020-11820CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter.

  • CVE-2020-11816CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter.

  • CVE-2020-11815CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting.

  • CVE-2020-11812CriApr 16, 2020
    risk 0.64cvss 9.8epss 0.02

    Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter.

  • CVE-2018-20166HigJan 2, 2019
    risk 0.61cvss 8.8epss 0.07

    A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in…

  • CVE-2026-31845CriApr 11, 2026
    risk 0.60cvss 9.3epss 0.01

    A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response…

  • CVE-2025-5993CriSep 8, 2025
    risk 0.60cvss epss 0.01

    ITCube CRM in versions from 2023.2 through 2025.2 is vulnerable to path traversal. Unauthenticated remote attacker is able to exploit vulnerable parameter fileName and construct payloads that allow to download any file accessible by the the web server process.

  • CVE-2022-45020HigDec 5, 2022
    risk 0.57cvss 8.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

  • CVE-2022-43288HigNov 14, 2022
    risk 0.57cvss 8.8epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php.

  • CVE-2020-13589HigAug 17, 2021
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL…

  • CVE-2020-13588HigAug 17, 2021
    risk 0.57cvss 8.8epss 0.01

    An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated…

  • CVE-2021-30224HigApr 29, 2021
    risk 0.57cvss 8.8epss 0.01

    Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials.

  • CVE-2020-13592HigApr 9, 2021
    risk 0.57cvss 8.8epss 0.02

    An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this…

  • CVE-2020-13591HigApr 9, 2021
    risk 0.57cvss 8.8epss 0.02

    An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…

  • CVE-2020-13587HigApr 9, 2021
    risk 0.57cvss 8.8epss 0.02

    An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability,…

  • CVE-2020-11818HigApr 16, 2020
    risk 0.57cvss 8.8epss 0.01

    In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user's valid token. Thus, an attacker can change the Admin password by using a CSRF attack and escalate his/her privileges.

  • CVE-2024-40530HigAug 5, 2024
    risk 0.49cvss 7.5epss 0.00

    A vulnerability in Pantera CRM versions 401.152 and 402.072 allows unauthorized attackers to bypass IP-based access controls by manipulating the X-Forwarded-For header.

  • CVE-2025-14189HigDec 7, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was detected in Chanjet CRM up to 20251121. Affected is an unknown function of the file /tools/jxf_dump_table_demo.php. The manipulation of the argument gblOrgID results in sql injection. The attack may be performed from remote. The exploit is now public and may…

  • CVE-2025-13788HigNov 30, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in Chanjet CRM up to 20251106. The impacted element is an unknown function of the file /tools/upgradeattribute.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be initiated remotely. The exploit has been…

  • CVE-2025-60375HigOct 9, 2025
    risk 0.47cvss 7.3epss 0.00

    The authentication mechanism in Perfex CRM before 3.3.1 allows attackers to bypass login credentials due to insufficient server-side validation. By sending empty username and password parameters in the login request, an attacker can gain unauthorized access to user accounts,…

  • CVE-2025-7915HigJul 21, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in Chanjet CRM 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /mail/mailinactive.php of the component Login Page. The manipulation leads to sql injection. The attack may be launched remotely. The exploit…

  • CVE-2025-7801HigJul 18, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in BossSoft CRM 6.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /crm/module/HNDCBas_customPrmSearchDtl.jsp. The manipulation of the argument cstid leads to sql injection. The attack can be…

  • CVE-2025-6132HigJun 16, 2025
    risk 0.47cvss 7.3epss 0.00

    A vulnerability has been found in Chanjet CRM 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /sysconfig/departmentsetting.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be launched…

  • CVE-2020-13590HigApr 18, 2022
    risk 0.47cvss 7.2epss 0.01

    Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities,…

  • CVE-2019-7541MedMay 7, 2019
    risk 0.43cvss 6.1epss 0.03

    Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring.

  • CVE-2019-7400MedFeb 5, 2019
    risk 0.43cvss 6.1epss 0.06

    Rukovoditel before 2.4.1 allows XSS.

  • CVE-2020-21732MedSep 14, 2020
    risk 0.40cvss 6.1epss 0.01

    Rukovoditel Project Management app 2.6 is affected by: Cross Site Scripting (XSS). An attacker can add JavaScript code to the filename.

  • CVE-2020-11822MedApr 27, 2020
    risk 0.40cvss 6.1epss 0.01

    In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the application structure --> user access groups page. Thus, an attacker can inject malicious script to steal all users' valuable data.

  • CVE-2022-44952MedDec 2, 2022
    risk 0.35cvss 5.4epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text…

  • CVE-2022-44951MedDec 2, 2022
    risk 0.35cvss 5.4epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload…

  • CVE-2022-44950MedDec 2, 2022
    risk 0.35cvss 5.4epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload…

  • CVE-2022-44949MedDec 2, 2022
    risk 0.35cvss 5.4epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload…

  • CVE-2022-44948MedDec 2, 2022
    risk 0.35cvss 5.4epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected…

  • CVE-2022-44947MedDec 2, 2022
    risk 0.35cvss 5.4epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted…

  • CVE-2022-44946MedDec 2, 2022
    risk 0.35cvss 5.4epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload…

  • CVE-2022-44944MedDec 2, 2022
    risk 0.35cvss 5.4epss 0.01

    Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted…

  • CVE-2022-43170MedOct 28, 2022
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title…

  • CVE-2022-43169MedOct 28, 2022
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter…

  • CVE-2022-43167MedOct 28, 2022
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after…

  • CVE-2022-43166MedOct 28, 2022
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after…

  • CVE-2022-43165MedOct 28, 2022
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after…

  • CVE-2022-43164MedOct 28, 2022
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the Global Lists feature (/index.php?module=global_lists/lists) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after…

  • CVE-2022-43185MedOct 19, 2022
    risk 0.35cvss 5.4epss 0.01

    A stored cross-site scripting (XSS) vulnerability in the Configuration/Holidays module of Rukovoditel v3.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter.

  • CVE-2020-18470MedAug 26, 2021
    risk 0.35cvss 5.4epss 0.01

    Stored cross-site scripting (XSS) vulnerability in the Name of application field found in the General Configuration page in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to…

  • CVE-2020-18469MedAug 26, 2021
    risk 0.35cvss 5.4epss 0.01

    Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST…

Page 1 of 2