This issue is similar to CVE-2018-15432 and CVE-2018-15433, which were both resolved by upgrading to version 3.2.2. In addition, this issue is similar to CVE-2018-15434 and CVE-2018-15435, which were both resolved by upgrading to version 3.2.3. Stored XSS vulnerabilities in the Configuration/Holidays module of Rukovoditel v3.2.1 allow remote attackers to execute arbitrary web script or HTML via a crafted name parameter. This issue is similar to CVE-2018-15432 and CVE-2018-15433, which were both resolved by upgrading to version 3.2.2. In addition, this issue is similar to CVE-2018-15434 and CVE-2018-15435, which were both resolved by upgrading to version 3.2.3. This update resolves all previously resolved issues.
CVE-2018-15436 Through direct request to this page, it is possible to get the full list of all user accounts that have accessed the system within the last 90 days, as well as their IP addresses, as pictured here: Due to a bug in the code, we were able to extract the email address of all users who had accessed the system within the last 90 days. This is a screenshot of the full list of users, including their email addresses. Users can be notified of this issue by email. This issue affects v3.2.
3.2.1 - Stored XSS in the Configuration/Holidays Module
The Configuration/Holidays module in Rukovoditel has a stored XSS vulnerability that allows remote attackers to execute arbitrary web script or HTML via a crafted name parameter.
Description of Affected Code
The bug in the code is that when checking for whether a person has accessed the system within the last 90 days, we are only comparing their email address to the server's email address. This means that if an attacker sends a request with an email address different than the server's, they will not be identified as having accessed the system within the last 90 days. This issue affects v3.2.
Timeline
Published on: 10/19/2022 14:15:00 UTC
Last modified on: 10/20/2022 20:09:00 UTC