Filtered by vendor Rukovoditel
Subscriptions
Total
47 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-11821 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 5.3 Medium |
| In Rukovoditel 2.5.2, users' passwords and usernames are stored in a cookie with URL encoding, base64 encoding, and hashing. Thus, an attacker can easily apply brute force on them. | ||||
| CVE-2020-11819 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 9.8 Critical |
| In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution. | ||||
| CVE-2020-11817 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 9.8 Critical |
| In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting. | ||||
| CVE-2020-11815 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 9.8 Critical |
| In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting. | ||||
| CVE-2020-11818 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 8.8 High |
| In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. This protection mechanism can be bypassed with another user's valid token. Thus, an attacker can change the Admin password by using a CSRF attack and escalate his/her privileges. | ||||
| CVE-2020-11813 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 5.4 Medium |
| In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous. | ||||
| CVE-2021-30224 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 8.8 High |
| Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary credentials. | ||||
| CVE-2022-48175 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 9.8 Critical |
| Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request. | ||||
| CVE-2022-45020 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 8.8 High |
| Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | ||||
| CVE-2022-44952 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 5.4 Medium |
| Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking "Add". | ||||
| CVE-2022-44949 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 5.4 Medium |
| Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Short Name field. | ||||
| CVE-2022-44950 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 5.4 Medium |
| Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | ||||
| CVE-2022-44944 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 5.4 Medium |
| Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field. | ||||
| CVE-2022-44951 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 5.4 Medium |
| Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | ||||
| CVE-2022-44947 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 5.4 Medium |
| Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Note field after clicking "Add". | ||||
| CVE-2022-44945 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 9.8 Critical |
| Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter. | ||||
| CVE-2022-44948 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 5.4 Medium |
| Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field after clicking "Add". | ||||
| CVE-2022-44946 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 5.4 Medium |
| Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field. | ||||
| CVE-2022-43288 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 8.8 High |
| Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php. | ||||
| CVE-2022-43166 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-03 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the Global Entities feature (/index.php?module=entities/entities) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Entity". | ||||