CVE-2020-18470

Name of the Vulnerable Software and Affected Versions: Rukovoditel version 2.4.1

Description: A stored cross-site scripting (XSS) issue exists in the Name of application field on the General Configuration page, allowing remote attackers to inject arbitrary web script or HTML via a crafted website name by sending an authenticated POST HTTP request to the /install/index.php endpoint. The name variable is vulnerable to injection, enabling attackers to execute malicious scripts.

Recommendations: For Rukovoditel version 2.4.1, as a temporary workaround, consider restricting access to the General Configuration page until a patch is available. Avoid using the /install/index.php endpoint with crafted website names to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.