CVE-2022-43169

Name of the Vulnerable Software and Affected Versions Rukovoditel version 3.2.1

Description A stored cross-site scripting (XSS) issue exists in the Users Access Groups feature, specifically in the /index.php?module=users groups/users groups API endpoint, allowing authenticated attackers to execute arbitrary web scripts or HTML. This is achieved by injecting a crafted payload into the Name parameter after clicking "Add New Group".

Recommendations For Rukovoditel version 3.2.1, as a temporary workaround, consider restricting access to the Users Access Groups feature, specifically the /index.php?module=users groups/users groups endpoint, to minimize the risk of exploitation. Avoid using the Name parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.