Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to /rukovoditel_2.4.1/index.php?module=configuration/save&redirect_to=configuration/application.
References
| Link | Resource |
|---|---|
| https://github.com/joelister/Persistent-XSS-on-qdPM-9.1/issues/3 | Exploit Issue Tracking Third Party Advisory |
| https://github.com/joelister/Persistent-XSS-on-qdPM-9.1/issues/5 | Exploit Issue Tracking Third Party Advisory |
Configurations
History
27 Aug 2021, 21:03
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-79 | |
| CVSS |
v2 : v3 : |
v2 : 3.5
v3 : 5.4 |
| CPE | cpe:2.3:a:rukovoditel:rukovoditel:2.4.1:*:*:*:*:*:*:* | |
| References | (MISC) https://github.com/joelister/Persistent-XSS-on-qdPM-9.1/issues/5 - Exploit, Issue Tracking, Third Party Advisory | |
| References | (MISC) https://github.com/joelister/Persistent-XSS-on-qdPM-9.1/issues/3 - Exploit, Issue Tracking, Third Party Advisory |
26 Aug 2021, 18:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2021-08-26 18:15
Updated : 2024-02-04 21:47
NVD link : CVE-2020-18469
Mitre link : CVE-2020-18469
CVE.ORG link : CVE-2020-18469
JSON object : View
Products Affected
rukovoditel
- rukovoditel
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')