CVE-2020-13587

Name of the Vulnerable Software and Affected Versions Rukovoditel Project Management App version 2.7.2

Description An exploitable SQL injection issue exists in the "forms fields rules/rules" page. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this issue, which can be done either with administrator credentials or through cross-site request forgery.

Recommendations For version 2.7.2, consider restricting access to the "forms fields rules/rules" page until a patch is available. As a temporary workaround, limit the ability to make authenticated HTTP requests to this page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.