CVE-2022-43165

Name of the Vulnerable Software and Affected Versions Rukovoditel version 3.2.1

Description A stored cross-site scripting (XSS) issue in the Global Variables feature, specifically at the "/index.php?module=global vars/vars" endpoint, allows authenticated attackers to execute arbitrary web scripts or HTML. This is achieved by injecting a crafted payload into the Value parameter after clicking "Create".

Recommendations For Rukovoditel version 3.2.1, consider disabling the Global Variables feature until a patch is available to prevent exploitation. Restrict access to the "/index.php?module=global vars/vars" endpoint to minimize the risk of arbitrary web script execution. Avoid using the Value parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.