CVE-2022-43165: n/a in n/a
A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create".
AI Analysis
Technical Summary
CVE-2022-43165 is a stored cross-site scripting (XSS) vulnerability identified in the Global Variables feature of Rukovoditel version 3.2.1. Rukovoditel is a web-based project management and database application platform. The vulnerability exists in the /index.php?module=global_vars/vars endpoint, specifically in the handling of the 'Value' parameter when creating new global variables. Authenticated users can inject malicious scripts or HTML payloads into this parameter. When other users view the affected page or variable, the injected script executes in their browsers, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability requires the attacker to have authenticated access and user interaction (clicking 'Create') to inject the payload. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, user interaction needed, and partial confidentiality and integrity impact but no availability impact. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). No known exploits in the wild or patches have been reported as of the publication date. The scope is changed (S:C), indicating the vulnerability affects resources beyond the initially vulnerable component, potentially impacting other users or components within the application.
Potential Impact
For European organizations using Rukovoditel 3.2.1, this vulnerability poses a moderate risk. Since exploitation requires authenticated access, the threat is primarily from insiders or attackers who have compromised user credentials. Successful exploitation could allow attackers to execute arbitrary scripts in the context of other users, leading to theft of session tokens, unauthorized actions, or spreading malware within the application environment. This could compromise the confidentiality and integrity of project management data, which may include sensitive business information or personal data protected under GDPR. The vulnerability could also facilitate further attacks by enabling privilege escalation or lateral movement within the organization's network. Given the collaborative nature of Rukovoditel, the impact could extend to multiple users and departments, potentially disrupting workflows and damaging organizational reputation.
Mitigation Recommendations
To mitigate this vulnerability, organizations should first verify if they are running Rukovoditel version 3.2.1 and restrict access to the Global Variables feature to trusted users only. Implement strict input validation and output encoding on the 'Value' parameter to neutralize any injected scripts. Since no official patch is currently available, consider applying temporary workarounds such as disabling the Global Variables feature or restricting the ability to create or modify global variables to highly privileged users. Monitor logs for suspicious activity related to the global_vars module and review user permissions regularly. Additionally, educate users about the risks of XSS and enforce strong authentication mechanisms to reduce the risk of credential compromise. Organizations should track vendor communications for any forthcoming patches and apply them promptly once released.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
CVE-2022-43165: n/a in n/a
Description
A stored cross-site scripting (XSS) vulnerability in the Global Variables feature (/index.php?module=global_vars/vars) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Value parameter after clicking "Create".
AI-Powered Analysis
Technical Analysis
CVE-2022-43165 is a stored cross-site scripting (XSS) vulnerability identified in the Global Variables feature of Rukovoditel version 3.2.1. Rukovoditel is a web-based project management and database application platform. The vulnerability exists in the /index.php?module=global_vars/vars endpoint, specifically in the handling of the 'Value' parameter when creating new global variables. Authenticated users can inject malicious scripts or HTML payloads into this parameter. When other users view the affected page or variable, the injected script executes in their browsers, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability requires the attacker to have authenticated access and user interaction (clicking 'Create') to inject the payload. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, user interaction needed, and partial confidentiality and integrity impact but no availability impact. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). No known exploits in the wild or patches have been reported as of the publication date. The scope is changed (S:C), indicating the vulnerability affects resources beyond the initially vulnerable component, potentially impacting other users or components within the application.
Potential Impact
For European organizations using Rukovoditel 3.2.1, this vulnerability poses a moderate risk. Since exploitation requires authenticated access, the threat is primarily from insiders or attackers who have compromised user credentials. Successful exploitation could allow attackers to execute arbitrary scripts in the context of other users, leading to theft of session tokens, unauthorized actions, or spreading malware within the application environment. This could compromise the confidentiality and integrity of project management data, which may include sensitive business information or personal data protected under GDPR. The vulnerability could also facilitate further attacks by enabling privilege escalation or lateral movement within the organization's network. Given the collaborative nature of Rukovoditel, the impact could extend to multiple users and departments, potentially disrupting workflows and damaging organizational reputation.
Mitigation Recommendations
To mitigate this vulnerability, organizations should first verify if they are running Rukovoditel version 3.2.1 and restrict access to the Global Variables feature to trusted users only. Implement strict input validation and output encoding on the 'Value' parameter to neutralize any injected scripts. Since no official patch is currently available, consider applying temporary workarounds such as disabling the Global Variables feature or restricting the ability to create or modify global variables to highly privileged users. Monitor logs for suspicious activity related to the global_vars module and review user permissions regularly. Additionally, educate users about the risks of XSS and enforce strong authentication mechanisms to reduce the risk of credential compromise. Organizations should track vendor communications for any forthcoming patches and apply them promptly once released.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-10-17T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9818c4522896dcbd7ec4
Added to database: 5/21/2025, 9:08:40 AM
Last enriched: 7/5/2025, 3:41:29 AM
Last updated: 8/16/2025, 4:12:54 AM
Views: 12
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.