CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-7541 – Rukovoditel Project Management CRM 2.4.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-7541
Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring. Rukovoditel hasta la versión 2.4.1 permite XSS mediante una URL que carece de una subcadena module=users%2flogin. Rukovoditel Project Management CRM version 2.4.1 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/46366 http://packetstormsecurity.com/files/151657/Rukovoditel-Project-Management-CRM-2.4.1-Cross-Site-Scripting.html https://blog.rukovoditel.net/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2019-7400 – Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-7400
Rukovoditel before 2.4.1 allows XSS. Rukovoditel, en versiones anteriores a la 2.4.1, permite Cross-Site Scripting (XSS). Rukovoditel ERP and CRM version 2.4.1 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/46608 http://packetstormsecurity.com/files/152248/Rukovoditel-ERP-And-CRM-2.4.1-Cross-Site-Scripting.html https://blog.rukovoditel.net/rukovoditel-2-4-1 https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-20166 – Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-20166
A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in ".php" with mixed case, such as the .pHp extension. Una vulnerabilidad de subida de archivos existe en la versión 2.3.1 de Rukovoditel. index.php?module=configuration/save permite a los usuarios subir una imagen de fondo y, además, maneja incorrectamente la comprobación de extensiones. • https://www.exploit-db.com/exploits/46011 https://pentest.com.tr/exploits/Rukovoditel-Project-Management-CRM-2-3-1-Authenticated-Remote-Code-Execution.html • CWE-434: Unrestricted Upload of File with Dangerous Type •