CVE-2024-34469

Name of the Vulnerable Software and Affected Versions Rukovoditel versions prior to 3.5.3

Description The issue is related to a lack of protection for the web page structure when handling the user photo parameter in the "index.php?module=users/registration&action=save" endpoint. This can allow a remote attacker to conduct a cross-site scripting (XSS) attack.

Recommendations For versions prior to 3.5.3, update to version 3.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "index.php?module=users/registration&action=save" endpoint until a patch is available. Avoid using the user photo parameter in the affected endpoint until the issue is resolved.