CVE-2020-11818

Name of the Vulnerable Software and Affected Versions Rukovoditel version 2.5.2

Description The protection mechanism in place to prevent CSRF attacks can be bypassed by an attacker using another user's valid form session token value. This allows the attacker to perform a CSRF attack, potentially changing the Admin password and escalating their privileges.

Recommendations For Rukovoditel version 2.5.2, consider temporarily disabling the ability to change the Admin password through the form until a patch is available, or restrict access to the form to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.