rukovoditel 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk cross-site scripting and vendor risk sql injection などに関し、一部は vendor impact session compromise を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2023-53913 | Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file. | [email protected] | 6.2 | 0.18% | 2025-12-17 | 2025-12-24 |
| CVE-2023-53898 | Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers. | [email protected] | 5.1 | 0.03% | 2025-12-16 | 2025-12-27 |
| CVE-2023-53897 | Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers. | [email protected] | 5.1 | 0.03% | 2025-12-16 | 2025-12-27 |
| CVE-2024-34469 | Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save. | [email protected] | 7.1 | 1.65% | 2024-05-04 | 2025-06-17 |
| CVE-2024-34468 | Rukovoditel before 3.5.3 allows XSS via user_photo to My Page. | [email protected] | 6.1 | 0.47% | 2024-05-04 | 2025-06-17 |
| CVE-2022-48175 | Rukovoditel v3.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the component /rukovoditel/index.php?module=dashboard/ajax_request. | [email protected] | 9.8 | 9.43% | 2023-01-30 | 2025-03-28 |
| CVE-2022-45020 | Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request. | [email protected] | 8.8 | 0.38% | 2022-12-05 | 2025-04-24 |
| CVE-2022-44952 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking "Add". | [email protected] | 5.4 | 1.76% | 2022-12-02 | 2025-04-24 |
| CVE-2022-44951 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Form tab function at /index.php?module=entities/forms&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | [email protected] | 5.4 | 1.73% | 2022-12-02 | 2025-04-24 |
| CVE-2022-44950 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | [email protected] | 5.4 | 2.01% | 2022-12-02 | 2025-04-24 |
| CVE-2022-44949 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add New Field function at /index.php?module=entities/fields&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Short Name field. | [email protected] | 5.4 | 2.01% | 2022-12-02 | 2025-04-24 |
| CVE-2022-44948 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Entities Group feature at/index.php?module=entities/entities_groups. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field after clicking "Add". | [email protected] | 5.4 | 1.73% | 2022-12-02 | 2025-04-24 |
| CVE-2022-44947 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Highlight Row feature at /index.php?module=entities/listing_types&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Note field after clicking "Add". | [email protected] | 5.4 | 1.09% | 2022-12-02 | 2025-04-24 |
| CVE-2022-44946 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Page function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field. | [email protected] | 5.4 | 0.93% | 2022-12-02 | 2025-04-24 |
| CVE-2022-44945 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter. | [email protected] | 9.8 | 0.96% | 2022-12-02 | 2025-04-24 |
| CVE-2022-44944 | Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Add Announcement function at /index.php?module=help_pages/pages&entities_id=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field. | [email protected] | 5.4 | 0.93% | 2022-12-02 | 2025-04-24 |
| CVE-2022-43288 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/index.php?module=logs/view&type=php. | [email protected] | 8.8 | 0.26% | 2022-11-14 | 2025-04-30 |
| CVE-2022-43170 | A stored cross-site scripting (XSS) vulnerability in the Dashboard Configuration feature (index.php?module=dashboard_configure/index) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add info block". | [email protected] | 5.4 | 5.44% | 2022-10-28 | 2025-05-07 |
| CVE-2022-43169 | A stored cross-site scripting (XSS) vulnerability in the Users Access Groups feature (/index.php?module=users_groups/users_groups) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add New Group". | [email protected] | 5.4 | 7.33% | 2022-10-28 | 2025-05-08 |
| CVE-2022-43168 | Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter. | [email protected] | 9.8 | 0.65% | 2022-10-28 | 2025-05-08 |