CVE-2020-13592

Name of the Vulnerable Software and Affected Versions Rukovoditel Project Management App version 2.7.2

Description An exploitable SQL injection issue exists in the "global lists/choices" page. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this issue, which can be done either with administrator credentials or through cross-site request forgery.

Recommendations For version 2.7.2, consider restricting access to the "global lists/choices" page until a patch is available. As a temporary workaround, limit the use of administrator credentials and implement measures to prevent cross-site request forgery. At the moment, there is no information about a newer version that contains a fix for this issue.