Description
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
Remediation
References
Related Vulnerabilities
Magento CVE-2021-36021 Vulnerability (CVE-2021-36021)
WordPress 5.6.x Directory Traversal (5.6 - 5.6.13)
WordPress 3.7.x Denial of Service Vulnerability (3.7 - 3.7.25)
WordPress Plugin Advanced Access Manager Multiple Vulnerabilities (6.6.1)
WordPress Plugin Advanced Access Manager Cross-Site Scripting (6.7.9)