Skip to main content

Rukovoditel CVE-2020-11812

CRITICAL
SQL Injection (CWE-89)
2020-04-16 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 16, 2020 - 19:15 nvd
CRITICAL 9.8

DescriptionNVD

Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter.

AnalysisAI

Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the filters[0][value] or filters[1][value] parameter. Affected products include: Rukovoditel.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2022-44945 CRITICAL POC
9.8 Dec 02

Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter. Rated cri

CVE-2022-43168 CRITICAL POC
9.8 Oct 28

Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the reports_id parameter. Rated critical

CVE-2020-11817 CRITICAL POC
9.8 Apr 27

In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. Ra

CVE-2020-11820 CRITICAL POC
9.8 Apr 16

Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the entities_id parameter

CVE-2020-11819 CRITICAL POC
9.8 Apr 16

In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve

CVE-2020-11816 CRITICAL POC
9.8 Apr 16

Rukovoditel 2.5.2 is affected by a SQL injection vulnerability because of improper handling of the reports_id (POST) par

CVE-2020-11815 CRITICAL POC
9.8 Apr 16

In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. Rated c

CVE-2022-45020 HIGH POC
8.8 Dec 05

Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /ruko

CVE-2022-43288 HIGH POC
8.8 Nov 14

Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the order_by parameter at /rukovoditel/in

CVE-2021-30224 HIGH POC
8.8 Apr 29

Cross Site Request Forgery (CSRF) in Rukovoditel v2.8.3 allows attackers to create an admin user with an arbitrary crede

CVE-2020-11818 HIGH POC
8.8 Apr 16

In Rukovoditel 2.5.2 has a form_session_token value to prevent CSRF attacks. Rated high severity (CVSS 8.8), this vulner

CVE-2024-34469 HIGH POC
7.1 May 04

Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save. Rated high severi

Share

CVE-2020-11812 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy