CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11815
https://notcve.org/view.php?id=CVE-2020-11815
In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting. En Rukovoditel versión 2.5.2, los atacantes pueden cargar un archivo arbitrario al cambiar el valor content-type. Como resultado de eso, un atacante puede ejecutar un comando en el servidor. • https://fatihhcelik.blogspot.com/2020/01/rukovoditel-rce.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11816
https://notcve.org/view.php?id=CVE-2020-11816
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) parameter. Rukovoditel versión 2.5.,2 está afectado por una vulnerabilidad de inyección SQL debido a un manejo inapropiado del parámetro reports_id (POST). • https://fatihhcelik.blogspot.com/2020/01/rukovoditel-sql-injection-reportsid-post.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11812
https://notcve.org/view.php?id=CVE-2020-11812
Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter. Rukovoditel versión 2.5.2, está afectado por una vulnerabilidad de inyección SQL debido al manejo inapropiado de los parámetros filters[0][value] o filters[1][value]. • https://fatihhcelik.blogspot.com/2020/01/rukovoditel-sql-injection-filters0value.html https://fatihhcelik.blogspot.com/2020/01/rukovoditel-sql-injection-filters1value.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11813
https://notcve.org/view.php?id=CVE-2020-11813
In Rukovoditel 2.5.2, there is a stored XSS vulnerability on the configuration page via the copyright text input. Thus, an attacker can inject a malicious script to steal all users' valuable data. This copyright text is on every page so this attack vector can be very dangerous. En Rukovoditel versión 2.5.2, hay una vulnerabilidad de tipo XSS almacenado en la página de configuración por medio de la entrada de texto copyright. Por lo tanto, un atacante puede inyectar un script malicioso para robar los datos valiosos de todos los usuarios. • https://fatihhcelik.blogspot.com/2020/01/rukovoditel-stored-xss.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-7541 – Rukovoditel Project Management CRM 2.4.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-7541
Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring. Rukovoditel hasta la versión 2.4.1 permite XSS mediante una URL que carece de una subcadena module=users%2flogin. Rukovoditel Project Management CRM version 2.4.1 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/46366 http://packetstormsecurity.com/files/151657/Rukovoditel-Project-Management-CRM-2.4.1-Cross-Site-Scripting.html https://blog.rukovoditel.net/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •