CVE-2020-13590

Name of the Vulnerable Software and Affected Versions Rukovoditel Project Management App version 2.7.2

Description Multiple exploitable SQL injection vulnerabilities exist in the 'entities/fields' page. A specially crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities, which can be done either with administrator credentials or through cross-site request forgery.

Recommendations For version 2.7.2, consider restricting access to the 'entities/fields' page until a patch is available. As a temporary workaround, limit the ability to make authenticated HTTP requests to this page to minimize the risk of exploitation.