The vulnerability is due to insufficient input validation of user-supplied data in the Value parameter. An attacker can inject a script with the following syntax: script>alert('XSS');/script>. The Rukovoditel v3.2.1 Global Variables module allows for the injection of arbitrary code into its vars variable, which can be leveraged by attackers to inject script codes into the Value field. An attacker can also leverage a stored XSS vulnerability to inject script code into the Value field to execute arbitrary code on the target website. When users click the “Create” link, the Value of the vars variable is not validated, allowing attackers to inject scripts into the global vars variable. In the following example, the Value of the vars variable is set to script>alert('XSS');/script>: As a result, when a user clicks the “Create” link on an infected website, the code in the Value of the vars variable will be executed, causing an alert box to be displayed on the user’s screen. Due to the nature of this vulnerability, it can be exploited by malicious users to perform client-side attacks. An attacker can inject a script into the Value field in order to execute arbitrary code on the target website. An attacker might, for example, inject a script that attempts to steal authentication credentials or perform another form of malicious action.

Vulnerability discovery and exploitation

This vulnerability was discovered as a result of manual testing. Security researchers at FireEye conducted a manual, exploratory analysis of the Rukovoditel v3.2.1 Global Variables module and identified this vulnerability.
We recommend that you update your installation of Rukovoditel v3.2.1 to address this vulnerability as soon as possible.

Vulnerability overview

A vulnerability in the Value parameter allows for injection of arbitrary code by attackers.
The vulnerability is a result of insufficient input validation in the Value parameter, which can be leveraged by attackers to inject script codes into the Value field.
When users click on "Create" link to create an account, the value of the vars variable is not validated, allowing attackers to inject scripts into the vars variable.
A stored XSS vulnerability can allow for scripts to be injected into the Value field to execute malicious actions on victims’ systems.

Vulnerability Discovery and Finding CWE

The vulnerability was discovered on 21-June-2018 by a security researcher. It was later validated to be present in the product, but it might have been present since release. There are no known exploits of this vulnerability as of now.

Response

As a result, all the marketing to my target audience that I've been planning for this week has to be scrapped.

The Value parameter does not validate user-supplied data and therefore allows for the execution of arbitrary code on target websites. As a result, all marketing to my target audience has to be scrapped because of this vulnerability.

Timeline

Published on: 10/28/2022 17:15:00 UTC
Last modified on: 10/28/2022 18:52:00 UTC

References