CVE-2020-13588

Name of the Vulnerable Software and Affected Versions Rukovoditel Project Management App version 2.7.2

Description An exploitable SQL injection issue exists in the 'entities/fields' page. The heading field id parameter in this page is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this issue, which can be done either with administrator credentials or through cross-site request forgery.

Recommendations For version 2.7.2, as a temporary workaround, consider restricting access to the 'entities/fields' page until a patch is available. Avoid using the heading field id parameter in the affected page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.