CVE-2018-20166

Name of the Vulnerable Software and Affected Versions: Rukovoditel version 2.3.1

Description: A file-upload issue exists, allowing users to upload PHP content by exploiting a weakness in extension checking. The "index.php?module=configuration/save" endpoint accepts uploads if the first few characters match GIF data and the filename ends in ".php" with mixed case, such as the .pHp extension.

Recommendations: For Rukovoditel version 2.3.1, as a temporary workaround, consider restricting access to the "index.php?module=configuration/save" endpoint to minimize the risk of exploitation. Avoid using this endpoint for file uploads until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.