CVE-2022-44944 is a stored cross-site scripting (XSS) vulnerability identified in Rukovoditel version 3.2.1, specifically within the Add Announcement functionality accessible at the URL path /index.php?module=help_pages/pages&entities_id=24. The vulnerability arises because the Title field in this function does not properly sanitize or encode user-supplied input, allowing an attacker to inject malicious scripts or HTML code. When a crafted payload is submitted and stored, it can later be executed in the context of users who view the affected announcement page. This stored XSS can lead to unauthorized script execution, potentially enabling session hijacking, credential theft, or other malicious actions performed on behalf of the victim user. The CVSS v3.1 base score is 5.4 (medium severity), with an attack vector of network (remote exploitation), low attack complexity, requiring privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity to a limited extent, with no impact on availability. No known public exploits have been reported, and no official patches or vendor details are provided. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

For European organizations using Rukovoditel 3.2.1, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data confidentiality. Since Rukovoditel is a project management and CRM tool, exploitation could lead to unauthorized access to sensitive project data or internal communications if attackers successfully inject malicious scripts. The stored nature of the XSS means that any user accessing the compromised announcement page could be affected, potentially enabling lateral movement or privilege escalation within the organization’s web environment. Although the CVSS score is medium, the changed scope indicates that the impact could extend beyond the immediate vulnerable module, affecting other parts of the application or user accounts. The requirement for user interaction (clicking or viewing the malicious announcement) limits automated exploitation but does not eliminate risk, especially in environments with many users or low security awareness. The lack of known exploits suggests limited active targeting, but the vulnerability remains a credible threat if weaponized. Confidentiality and integrity impacts are moderate, with no direct availability impact.

1. Immediate mitigation should include sanitizing and validating all user inputs in the Add Announcement Title field to prevent script injection. Implement strict output encoding (e.g., HTML entity encoding) when rendering user-supplied content. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the web application context. 3. Restrict access to the Add Announcement functionality to trusted and authenticated users only, and review user privileges to minimize exposure. 4. Conduct a thorough audit of all user input fields across the application for similar XSS vulnerabilities. 5. If patching is unavailable, consider disabling or restricting the vulnerable module temporarily until a fix is released. 6. Educate users about the risks of clicking on unexpected or suspicious announcements or links within the application. 7. Monitor web application logs for unusual input patterns or repeated attempts to inject scripts. 8. Deploy web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting this endpoint. 9. Plan for an update or patch management process once a vendor fix or community patch becomes available.