CVE-2020-18469

Name of the Vulnerable Software and Affected Versions: Rukovoditel version 2.4.1

Description: A stored cross-site scripting (XSS) issue exists in the Copyright Text field, located in the Application page under the Configuration menu. This allows remote attackers to inject arbitrary web script or HTML via a crafted website name by sending an authenticated POST HTTP request to "/rukovoditel 2.4.1/index.php?module=configuration/save&redirect to=configuration/application".

Recommendations: For Rukovoditel version 2.4.1, consider disabling the Copyright Text field in the Application page under the Configuration menu until a patch is available. Restrict access to the /rukovoditel 2.4.1/index.php?module=configuration/save&redirect to=configuration/application endpoint to minimize the risk of exploitation. Avoid using crafted website names that could inject arbitrary web script or HTML. At the moment, there is no information about a newer version that contains a fix for this issue.