Rukovoditel Support Forum

I’ll answer here the same way as in the other post. https://forum.rukovoditel.net/viewtopic.php?p=20132 I can't agree with you. Even if the application has functionality for adding HTML/PHP/JS code, it is still necessary to filter out potentially dangerous functions. I don’t think that your users wi...

I can't agree with you. Even if the application has functionality for adding HTML/PHP/JS code, it is still necessary to filter out potentially dangerous functions. I don’t think that your users will be happy if they are redirected to a malicious site after logging in. "/><script>location.replac...

Hey! I found an xss vulnerability in the configuration/custom_html module. In the functionality of adding custom HTML code at the CFG[CUSTOM_HTML_HEAD] and CFG[CUSTOM_HTML_BODY] parameters. Payload: <script>alert('text'%2bdocument.cookie)</script> Request: POST /index.php?module=configuration/save&a...

Hey! I found an xss vulnerability in the users_alerts module. In the title parameter when creating an alert for all users, you can insert a payload. Payload: "/><script>alert(document.cookie)</script> . Request: POST /index.php?module=users_alerts/users_alerts&action=save&id=1&token...

Awesome! Can I register a CVE with this vulnerability? After you will fixing it.

Hey! I found an xss vulnerability in the latest version of your application. The vulnerability is in the user_photo parameter and can be inserted in several places. Payload: "><img src=a onerror=alert(document.cookie)> 1. Editing the personal page "My Page" POST /index.php?module=user...