CVE-2022-43170

Name of the Vulnerable Software and Affected Versions Rukovoditel version 3.2.1

Description A stored cross-site scripting (XSS) issue in the Dashboard Configuration feature, specifically at the "index.php?module=dashboard configure/index" endpoint, allows authenticated attackers to execute arbitrary web scripts or HTML. This is achieved by injecting a crafted payload into the Title parameter after clicking "Add info block".

Recommendations For Rukovoditel version 3.2.1, consider disabling the "Add info block" feature in the Dashboard Configuration until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to the "index.php?module=dashboard configure/index" endpoint to minimize the risk of arbitrary web script execution. Avoid using the Title parameter in the affected endpoint until the issue is resolved.