CVE-2022-43167
published 2022-10-28CVE-2022-43167: A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows…
PriorityP428medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
0.93%
56.1th percentile
A stored cross-site scripting (XSS) vulnerability in the Users Alerts feature (/index.php?module=users_alerts/users_alerts) of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add".
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rukovoditel | rukovoditel | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Rukovoditel <= 3.2.1 - Cross Site Scripting
nuclei·CVSS 5.4
CVE-2022-43167 [MEDIUM] Rukovoditel <= 3.2.1 - Cross Site Scripting
Rukovoditel alert(document.domain)")'
- 'contains(body_3, "rukovoditel")'
condition: and
extractors:
- type: regex
name: nonce
group: 1
regex:
- 'id="form_session_token" value="(.*)" type="hidden"'
internal: true
# digest: 4b0a0048304602210094b2cab6a908fa765949b0d17f8e3cdf343a5b6b18a0fd050cfab1f835c786730221009e3204753c851aa1cee5cdb1fc954f7a811ba3ed3eed5f287a210eed24e1a6f0:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2022-10-28
Published