Posts Rukovoditel | SQL Injection [entities_id] | CVE-2020-11820
Post
Cancel

Rukovoditel | SQL Injection [entities_id] | CVE-2020-11820

Vendor: https://sourceforge.net/projects/rukovoditel/

Version: 2.5.2

Vulnerability: SQL Injection

CVE: CVE-2020-11820

CVSS 3.x Base Score: 9.8 CRITICAL

Rukovoditel is a free web-based open-source project management application. A far cry from traditional applications, Rukovoditel gives users a broader and extensive approach to project management. Its customization options allow users to create additional entities, modify and specify the relationship between them, and generate the necessary reports. The platform enables users to craft their own application that is specifically tailored for their activity (CRM, ERP, HRM, WMS, etc.).

Rukovoditel Version 2.5.2 is affected by SQL injection vulnerability because of improper handling of entities_id parameter.

Endpoint -> index.php?module=entities/fields&entities_id=1

Output of sqlmap,

This post is licensed under CC BY 4.0 by the author.