CVE-2019-7541

MEDIUM

Rukovoditel < 2.4.1 - Cross-Site Scripting via URL Without Login Module

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-7541. PoCs published by Mehmet EMIROGLU.

AI-analyzed exploit summary This exploit demonstrates a DOM-based XSS vulnerability in Rukovoditel Project Management CRM 2.4.1. The PoC involves injecting malicious JavaScript via the URL parameter 'module', which executes when the page loads.

Description

Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring.

Exploits (1)

exploitdb WORKING POC
by Mehmet EMIROGLU · textwebappsphp
https://www.exploit-db.com/exploits/46366

This exploit demonstrates a DOM-based XSS vulnerability in Rukovoditel Project Management CRM 2.4.1. The PoC involves injecting malicious JavaScript via the URL parameter 'module', which executes when the page loads.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Rukovoditel Project Management CRM 2.4.1
No auth needed
Prerequisites: Access to the target application's URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/46366/
Release Notes, Vendor Advisory x_refsource_misc
https://blog.rukovoditel.net/releases/

Scores

CVSS v3 6.1
EPSS 0.0324
EPSS Percentile 86.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
rukovoditel/rukovoditel < 2.4.1
Published May 07, 2019
Tracked Since Feb 18, 2026