First published: Mon Apr 18 2022(Updated: )
Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities, this can be done either with administrator credentials or through cross-site request forgery.
Credit: talos-cna@cisco.com
Affected Software | Affected Version | How to fix |
---|---|---|
Rukovoditel Rukovoditel | =2.7.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-13590 is a vulnerability in the 'entities/fields' page of the Rukovoditel Project Management App 2.7.2 that allows for multiple exploitable SQL injection vulnerabilities.
CVE-2020-13590 has a severity score of 7.2, which is considered high.
This vulnerability can be exploited by sending a specially crafted HTTP request that leads to SQL injection.
Yes, an attacker needs to be authenticated to make the malicious HTTP requests that trigger this vulnerability.
Yes, it is recommended to update to Rukovoditel Project Management App version 2.7.3 or later to fix this vulnerability.