First published: Thu Aug 26 2021(Updated: )
Stored cross-site scripting (XSS) vulnerability in the Name of application field found in the General Configuration page in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to rukovoditel_2.4.1/install/index.php.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Rukovoditel Rukovoditel | =2.4.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-18470.
The severity of CVE-2020-18470 is medium, with a CVSS score of 5.4.
The affected software is Rukovoditel version 2.4.1.
Remote attackers can exploit CVE-2020-18470 by injecting arbitrary web script or HTML via a crafted website name in the Name of application field on the General Configuration page.
At the time of this report, there are no known fixes or patches available for CVE-2020-18470. It is recommended to update to a newer version of Rukovoditel when a fix becomes available.