Filtered by vendor Rukovoditel
Subscriptions
Total
47 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-13590 | 1 Rukovoditel | 1 Rukovoditel | 2024-09-16 | 7.2 High |
| Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities, this can be done either with administrator credentials or through cross-site request forgery. | ||||
| CVE-2018-20166 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-05 | N/A |
| A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in ".php" with mixed case, such as the .pHp extension. | ||||
| CVE-2019-7541 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | N/A |
| Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring. | ||||
| CVE-2019-7400 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 6.1 Medium |
| Rukovoditel before 2.4.1 allows XSS. | ||||
| CVE-2020-35986 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||||
| CVE-2020-35987 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||||
| CVE-2020-35985 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. | ||||
| CVE-2020-35984 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. | ||||
| CVE-2020-21732 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 6.1 Medium |
| Rukovoditel Project Management app 2.6 is affected by: Cross Site Scripting (XSS). An attacker can add JavaScript code to the filename. | ||||
| CVE-2020-18470 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 5.4 Medium |
| Stored cross-site scripting (XSS) vulnerability in the Name of application field found in the General Configuration page in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to rukovoditel_2.4.1/install/index.php. | ||||
| CVE-2020-18469 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 5.4 Medium |
| Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to /rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application. | ||||
| CVE-2020-13591 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 8.8 High |
| An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. | ||||
| CVE-2020-13587 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 8.8 High |
| An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. | ||||
| CVE-2020-13592 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 8.8 High |
| An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. | ||||
| CVE-2020-13589 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 8.8 High |
| An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. | ||||
| CVE-2020-13588 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 8.8 High |
| An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. | ||||
| CVE-2020-11820 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 9.8 Critical |
| Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter. | ||||
| CVE-2020-11822 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 6.1 Medium |
| In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the application structure --> user access groups page. Thus, an attacker can inject malicious script to steal all users' valuable data. | ||||
| CVE-2020-11812 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 9.8 Critical |
| Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter. | ||||
| CVE-2020-11816 | 1 Rukovoditel | 1 Rukovoditel | 2024-08-04 | 9.8 Critical |
| Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter. | ||||