Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
BugReport/CVE-2020-21732
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
29 lines (19 sloc)
784 Bytes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ⬤ Vulnerability Type: | |
| Cross Site Scripting (XSS) | |
| ⬤ Affected Component: | |
| The Rukovoditel system not validate Attachment filename! | |
| {Add project --> Add attachment] | |
| ⬤ Attack Type: Remote | |
| ⬤ Impact Code execution: true | |
| ⬤ Attack Vectors: | |
| The attacker could add JavaScript code to the filename. | |
| The Javascript code runs every time a project is opened. | |
| ⬤ Referenceo: | |
| http://rukovoditel.com https://www.rukovoditel.net | |
| ⬤ Vendor of Product: | |
| https://www.rukovoditel.net | |
| ⬤ Suggested description: | |
| Rukovoditel Project Management app 2.6 is affected by: Cross Site Scripting (XSS). An attacker can add JavaScript code to the filename.. | |
| ⬤ Affected Product Code Base: | |
| Rukovoditel Project Management app 2.6 | |
| Use CVE-2020-21732 for this vulnerability. |