Description
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
Remediation
References
Related Vulnerabilities
WordPress Plugin Fluid Responsive Slideshow Multiple Vulnerabilities (2.2.6)
Oracle JRE Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2024-21011)
WordPress Plugin Asgaros Forum Multiple SQL Injection Vulnerabilities (1.15.12)
MySQL CVE-2014-0437 Vulnerability (CVE-2014-0437)
WordPress Plugin Social Sharing-Sassy Social Share Cross-Site Scripting (3.3.39)