CVE-2022-44948

Name of the Vulnerable Software and Affected Versions Rukovoditel version 3.2.1

Description The issue is related to a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at "/index.php?module=entities/entities groups". This allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field after clicking "Add".

Recommendations For Rukovoditel version 3.2.1, consider disabling the Entities Group feature at "/index.php?module=entities/entities groups" until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to the Name field in the Entities Group feature to minimize the risk of arbitrary web script or HTML execution.