CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2019-7400 – Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-7400
Rukovoditel before 2.4.1 allows XSS. Rukovoditel, en versiones anteriores a la 2.4.1, permite Cross-Site Scripting (XSS). Rukovoditel ERP and CRM version 2.4.1 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/46608 http://packetstormsecurity.com/files/152248/Rukovoditel-ERP-And-CRM-2.4.1-Cross-Site-Scripting.html https://blog.rukovoditel.net/rukovoditel-2-4-1 https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-20166 – Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-20166
A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in ".php" with mixed case, such as the .pHp extension. Una vulnerabilidad de subida de archivos existe en la versión 2.3.1 de Rukovoditel. index.php?module=configuration/save permite a los usuarios subir una imagen de fondo y, además, maneja incorrectamente la comprobación de extensiones. • https://www.exploit-db.com/exploits/46011 https://pentest.com.tr/exploits/Rukovoditel-Project-Management-CRM-2-3-1-Authenticated-Remote-Code-Execution.html • CWE-434: Unrestricted Upload of File with Dangerous Type •