Description
An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.
Remediation
References
Related Vulnerabilities
Drupal Core 9.4.x Cross-Site Scripting (9.4.0 - 9.4.2)
WordPress Plugin Basic Dev Tools Multiple Cross-Site Scripting Vulnerabilities (1.4.1)
OpenVPN AS Insufficient Session Expiration Vulnerability (CVE-2020-15074)
WordPress Plugin Contextual Related Posts Cross-Site Request Forgery (2.9.3)
WordPress Plugin WordPress Download Manager Cross-Site Scripting (2.5.8)