CVE-2022-43167

Name of the Vulnerable Software and Affected Versions Rukovoditel version 3.2.1

Description A stored cross-site scripting (XSS) issue in the Users Alerts feature (/index.php?module=users alerts/users alerts) allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add".

Recommendations For Rukovoditel version 3.2.1, consider disabling the Users Alerts feature until a patch is available. Restrict access to the /index.php?module=users alerts/users alerts endpoint to minimize the risk of exploitation. Avoid using the Title parameter in the affected feature until the issue is resolved.