CVE-2022-43166

Name of the Vulnerable Software and Affected Versions Rukovoditel version 3.2.1

Description A stored cross-site scripting (XSS) issue in the Global Entities feature, specifically at the "/index.php?module=entities/entities" endpoint, allows authenticated attackers to execute arbitrary web scripts or HTML. This is achieved by injecting a crafted payload into the Name parameter after clicking "Add New Entity".

Recommendations For Rukovoditel version 3.2.1, consider disabling the Global Entities feature until a patch is available to prevent exploitation. Restrict access to the "/index.php?module=entities/entities" endpoint to minimize the risk of arbitrary web script execution. Avoid using the Name parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.