Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Rukovoditel Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability - CVE-2020-13589 - Vulnerability Database
Rukovoditel

Rukovoditel Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability - CVE-2020-13589

High
Reference: CVE-2020-13589
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2020-13589
Title: Rukovoditel Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) Vulnerability
Overview:

An exploitable SQL injection vulnerability exists in the entities/fields page of the Rukovoditel Project Management App 2.7.2. The entities_id parameter in the 39entities/fields page (mulitple_edit or copy_selected or export function) is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability this can be done either with administrator credentials or through cross-site request forgery.