Stored Cross-Site Scripting Vulnerability in Rukovoditel by anhDQ
CVE-2022-43164

5.4MEDIUM

Key Information:

Vendor: Rukovoditel
Status: Rukovoditel
Vendor: CVE Published:; 28 October 2022

🔔 Create Rukovoditel Vulnerability Alert

What is CVE-2022-43164?

The vulnerability in Rukovoditel v3.2.1 exists in the Global Lists feature, specifically for the Name parameter in the /index.php?module=global_lists/lists endpoint. Authenticated attackers can exploit this weakness by injecting a specially crafted payload, potentially allowing for the execution of arbitrary web scripts or HTML within the context of a user's session. This can lead to various malicious activities, including data theft and session hijacking.

References

https://github.com/anhdq201/rukovoditel/issues/4

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 28, 2022
Vulnerability Reserved
Oct 17, 2022

JSON