CVE-2022-43164 is a stored cross-site scripting (XSS) vulnerability identified in the Global Lists feature of Rukovoditel version 3.2.1. Rukovoditel is a web-based project management and database application platform. The vulnerability arises when an authenticated attacker injects a crafted payload into the 'Name' parameter of the Global Lists module (/index.php?module=global_lists/lists) by clicking the 'Add' button. Because this is a stored XSS, the malicious script is saved on the server and subsequently executed in the browsers of users who view the affected page. The vulnerability requires the attacker to have valid credentials (authentication required) and user interaction (clicking 'Add') to inject the payload. The CVSS 3.1 base score is 5.4 (medium severity), with an attack vector of network (remote), low attack complexity, privileges required, user interaction required, and a scope change. The impact affects confidentiality and integrity, allowing execution of arbitrary scripts or HTML, which could lead to session hijacking, defacement, or unauthorized actions performed in the context of the victim user. There is no indication of availability impact. No public exploits are known in the wild, and no patches or vendor advisories are currently linked. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

For European organizations using Rukovoditel 3.2.1, this vulnerability poses a risk of unauthorized script execution within authenticated sessions. Attackers could leverage this to steal session tokens, perform actions on behalf of legitimate users, or conduct phishing attacks by injecting malicious content. This could lead to data leakage, unauthorized data modification, or reputational damage. Since Rukovoditel is used for project management and database applications, sensitive business data could be exposed or manipulated. The requirement for authentication limits the attack surface to internal or compromised users, but insider threats or credential compromise could facilitate exploitation. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the initially vulnerable component, potentially impacting other parts of the application or user sessions. Given the medium severity, the impact is significant but not critical, especially if compensating controls such as web application firewalls or strict input validation are in place.

European organizations should immediately audit their use of Rukovoditel and identify any installations running version 3.2.1. Since no official patch is referenced, organizations should implement the following mitigations: 1) Apply strict input validation and output encoding on the 'Name' parameter in the Global Lists feature to neutralize malicious scripts. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. 3) Limit user privileges to minimize the number of users able to add or modify Global Lists entries. 4) Monitor logs for suspicious activity related to the Global Lists module, especially unexpected input patterns or repeated failed attempts. 5) Educate users about the risks of clicking untrusted links or interacting with suspicious content within the application. 6) Consider deploying a web application firewall (WAF) with rules to detect and block XSS payloads targeting this endpoint. 7) Regularly review and update authentication and session management controls to prevent session hijacking. Organizations should also track vendor communications for any forthcoming patches or updates addressing this vulnerability.