SQL Injection Vulnerability in Rukovoditel Project Management App 2.7.2

SQL Injection Vulnerability in Rukovoditel Project Management App 2.7.2

CVE-2020-13588 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

An exploitable SQL injection vulnerability exists in the ‘entities/fields’ page of the Rukovoditel Project Management App 2.7.2. The heading_field_id parameter in ‘‘entities/fields’ page is vulnerable to authenticated SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability, this can be done either with administrator credentials or through cross-site request forgery.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.