CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13590
https://notcve.org/view.php?id=CVE-2020-13590
Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities, this can be done either with administrator credentials or through cross-site request forgery. Se presentan múltiples vulnerabilidades explotables de inyección SQL en la página "entities/fields" de Rukovoditel Project Management App versión 2.7.2. Una petición HTTP especialmente diseñada puede conllevar a una inyección SQL. • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1199 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13589
https://notcve.org/view.php?id=CVE-2020-13589
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. Se presenta una vulnerabilidad de inyección SQL explotable en la página "entities/fields" de Rukovoditel Project Management App versión 2.7.2. El parámetro entities_id en la página "entities/fields" (función mulitple_edit o copy_selected o export) es vulnerable a una inyección SQL autenticada. • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1199 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-13588
https://notcve.org/view.php?id=CVE-2020-13588
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery. Se presenta una vulnerabilidad de inyección SQL explotable en la página "entities/fields" de Rukovoditel Project Management App versión 2.7.2. El parámetro heading_field_id de la página "entities/fields" es vulnerable a una inyección SQL autenticada. • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1199 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35984
https://notcve.org/view.php?id=CVE-2020-35984
A stored cross site scripting (XSS) vulnerability in the 'Users Alerts' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Title' parameter. Una vulnerabilidad de tipo cross site scripting (XSS) almacenado en la funcionalidad "Users Alerts" de Rukovoditel versión 2.7.2, permite a atacantes autenticados ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada introducida en el parámetro "Title" • https://github.com/r0ck3t1973/rukovoditel/issues/4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35985
https://notcve.org/view.php?id=CVE-2020-35985
A stored cross site scripting (XSS) vulnerability in the 'Global Lists" feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter. Una vulnerabilidad de tipo cross site scripting (XSS) almacenado en la funcionalidad "Global Lists" de Rukovoditel versión 2.7.2, permite a atacantes autenticados ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada introducida en el parámetro "Name" • https://github.com/r0ck3t1973/rukovoditel/issues/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •