CVE-2022-43164

Name of the Vulnerable Software and Affected Versions Rukovoditel version 3.2.1

Description A stored cross-site scripting (XSS) issue in the Global Lists feature, specifically at the "/index.php?module=global lists/lists" endpoint, allows authenticated attackers to execute arbitrary web scripts or HTML. This is achieved by injecting a crafted payload into the Name parameter after clicking "Add".

Recommendations For Rukovoditel version 3.2.1, consider disabling the Global Lists feature until a patch is available. As a temporary workaround, restrict access to the "/index.php?module=global lists/lists" endpoint to minimize the risk of exploitation. Avoid using the Name parameter in the affected endpoint until the issue is resolved.