XSS vulnerability in Rukovoditel before 3.5.3 allows attackers to exploit user_photo to index.php?module=users/registration&action=save
CVE-2024-34469

Currently unrated

Key Information:

Vendor: Rukovoditel
Status: Rukovoditel
Vendor: CVE Published:; 4 May 2024

🔔 Create Rukovoditel Vulnerability Alert

Badges

👾 Exploit Exists

What is CVE-2024-34469?

A cross-site scripting vulnerability has been identified in Rukovoditel prior to version 3.5.3. This flaw allows attackers to inject malicious scripts via the user_photo parameter during the user registration process. Exploiting this vulnerability can lead to unauthorized actions on behalf of users, compromise sensitive information, and potentially redirect users to malicious sites. Organizations utilizing Rukovoditel should prioritize upgrading to the latest version to mitigate this security risk.

References

https://forum.rukovoditel.net/viewtopic.php?t=5071

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 7, 2024
👾
Exploit known to exist
May 7, 2024
Vulnerability published
May 4, 2024
Vulnerability Reserved
May 4, 2024

JSON