Vulnerabilities > Rukovoditel > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-10-28 CVE-2022-43166 Cross-site Scripting vulnerability in Rukovoditel 3.2.1
A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Entity".
network
low complexity
rukovoditel CWE-79
5.4
5.4
2022-10-28 CVE-2022-43167 Cross-site Scripting vulnerability in Rukovoditel 3.2.1
A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add".
network
low complexity
rukovoditel CWE-79
5.4
5.4
2022-10-28 CVE-2022-43169 Cross-site Scripting vulnerability in Rukovoditel 3.2.1
A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Group".
network
low complexity
rukovoditel CWE-79
5.4
5.4
2022-10-28 CVE-2022-43170 Cross-site Scripting vulnerability in Rukovoditel 3.2.1
A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add info block".
network
low complexity
rukovoditel CWE-79
5.4
5.4
2022-10-19 CVE-2022-43185 Cross-site Scripting vulnerability in Rukovoditel 3.2.1
A stored cross-site scripting (XSS) vulnerability in the Configuration/Holidays module of Rukovoditel v3.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter.
network
low complexity
rukovoditel CWE-79
5.4
5.4
2022-04-18 CVE-2020-13590 SQL Injection vulnerability in Rukovoditel 2.7.2
Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2.
network
low complexity
rukovoditel CWE-89
6.5
6.5
2021-04-29 CVE-2021-30224 Cross-Site Request Forgery (CSRF) vulnerability in Rukovoditel 2.8.3
Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials. 		6.8
6.8
2020-09-14 CVE-2020-21732 Cross-site Scripting vulnerability in Rukovoditel 2.6
Rukovoditel Project Management app 2.6 is affected by: Cross Site Scripting (XSS).
network
low complexity
rukovoditel CWE-79
6.1
6.1
2020-04-27 CVE-2020-11822 Cross-site Scripting vulnerability in Rukovoditel 2.5.2
In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the application structure --> user access groups page. 		4.3
4.3
2020-04-27 CVE-2020-11821 Cleartext Storage of Sensitive Information vulnerability in Rukovoditel 2.5.2
In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing.
network
low complexity
rukovoditel CWE-312
5.0
5.0