CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35986
https://notcve.org/view.php?id=CVE-2020-35986
A stored cross site scripting (XSS) vulnerability in the 'Users Access Groups' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. Una vulnerabilidad de tipo cross site scripting (XSS) almacenado en la funcionalidad "Users Access Groups" de Rukovoditel versión 2.7.2, permite a atacantes autenticados ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada introducida en el parámetro "Name" • https://github.com/r0ck3t1973/rukovoditel/issues/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35987
https://notcve.org/view.php?id=CVE-2020-35987
A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. Una vulnerabilidad de tipo cross site scripting (XSS) almacenado en la funcionalidad "Entities List" de Rukovoditel versión 2.7.2, permite a atacantes autenticados ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada introducida en el parámetro "Name" • https://github.com/r0ck3t1973/rukovoditel/issues/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13592
https://notcve.org/view.php?id=CVE-2020-13592
An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. Se presenta una vulnerabilidad de inyección SQL explotable en la página "global_lists/choices" de la Rukovoditel Project Management App versión 2.7.2. Una petición HTTP especialmente diseñada puede conllevar a una inyección SQL. • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1201 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13587
https://notcve.org/view.php?id=CVE-2020-13587
An exploitable SQL injection vulnerability exists in the "forms_fields_rules/rules" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. Se presenta una vulnerabilidad de inyección SQL explotable en la página "forms_fields_rules/rules" de la Rukovoditel Project Management App versión 2.7.2. Una petición HTTP especialmente diseñada puede conllevar a una inyección SQL. • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1198 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13591
https://notcve.org/view.php?id=CVE-2020-13591
An exploitable SQL injection vulnerability exists in the "access_rules/rules_form" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. Se presenta una vulnerabilidad de inyección SQL explotable en la página "access_rules/rules_form" de la Rukovoditel Project Management App versión 2.7.2. Una petición HTTP especialmente diseñada puede conllevar a una inyección SQL. • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1200 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •