CVE-2020-13592
HIGHRukovoditel 2.7.2 - Authenticated SQL Injection via Global Lists Choices Page
Title source: llmDescription
An exploitable SQL injection vulnerability exists in "global_lists/choices" page of the Rukovoditel Project Management App 2.7.2. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1201
Scores
CVSS v3
8.8
EPSS
0.0151
EPSS Percentile
71.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
rukovoditel/rukovoditel
2.7.2
Published
Apr 09, 2021
Tracked Since
Feb 18, 2026