CVE-2020-13589: SQL Injection
First published: Tue Aug 17 2021(Updated: )
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 'entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
Credit: talos-cna@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rukovoditel Rukovoditel | =2.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2020-13589?
CVE-2020-13589 is an SQL injection vulnerability found in the 'entities/fields' page of the Rukovoditel Project Management App version 2.7.2.
How severe is CVE-2020-13589?
CVE-2020-13589 has a severity score of 8.8 (high).
Which software version is affected by CVE-2020-13589?
CVE-2020-13589 affects Rukovoditel Project Management App version 2.7.2.
What is the Common Weakness Enumeration (CWE) for CVE-2020-13589?
The CWE for CVE-2020-13589 is CWE-89 (SQL Injection).
Is authentication required to exploit CVE-2020-13589?
Yes, authenticated access is required to exploit CVE-2020-13589.
- collector/nvd-index
- agent/tags
- agent/event
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/type
- agent/description
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- vendor/rukovoditel
- canonical/rukovoditel rukovoditel
- version/rukovoditel rukovoditel/2.7.2