Headline
CVE-2022-43185: Stored XSS Vulnerability on "name" parameter in Rukovoditel-3.2.1 · Issue #1 · Kubozz/rukovoditel-3.2.1
A stored cross-site scripting (XSS) vulnerability in the Configuration/Holidays module of Rukovoditel v3.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter.
/Describe the bug/
I downloaded and install rukoviditel 3.2.1
An authenticated malicious user can take advantage of a Stored XSS vulnerability in the “name” parameter in Configuration/Holidays module.
To Reproduce
/Steps to reproduce the behavior/:
1, Login into the panel
2. Go to ‘/ukovoditel/index.php?module=holidays/holidays/’
3. Add new info
4. Insert payload: "><img src=xx onerror=alert ('document.domain) >
5. Save Alert XSS Message
/Expected behavior/
The removal of script tags is not sufficient to prevent an XSS attack. You must HTML Entity encode any output that is reflected back to the page.
/Screenshots/