CVE-2020-13592
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
Se presenta una vulnerabilidad de inyección SQL explotable en la página "global_lists/choices" de la Rukovoditel Project Management App versión 2.7.2. Una petición HTTP especialmente diseñada puede conllevar a una inyección SQL. Un atacante puede realizar una petición HTTP autenticada para desencadenar esta vulnerabilidad, esto puede ser hecho con credenciales de administrador o mediante un ataque de tipo cross-site request forgery
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-05-26 CVE Reserved
- 2021-04-09 CVE Published
- 2024-02-16 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://talosintelligence.com/vulnerability_reports/TALOS-2020-1201 | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Rukovoditel Search vendor "Rukovoditel" | Rukovoditel Search vendor "Rukovoditel" for product "Rukovoditel" | 2.7.2 Search vendor "Rukovoditel" for product "Rukovoditel" and version "2.7.2" | - |
Affected
| ||||||