Anton Kartunov

**Name of the Vulnerable Software and Affected Versions** Rukovoditel versions prior to 3.5.3 **Description** The issue allows for XSS via the `user photo` parameter to My Page. This can potentially lead to malicious script execution. **Recommendations** For versions prior to 3.5.3, update to version 3.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `user photo` parameter in the My Page section until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Rukovoditel versions prior to 3.5.3 **Description** The issue is related to a lack of protection for the web page structure when handling the `user photo` parameter in the "index.php?module=users/registration&action=save" endpoint. This can allow a remote attacker to conduct a cross-site scripting (XSS) attack. **Recommendations** For versions prior to 3.5.3, update to version 3.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "index.php?module=users/registration&action=save" endpoint until a patch is available. Avoid using the `user photo` parameter in the affected endpoint until the issue is resolved.