Rukovoditel Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Rukovoditel version 3.4.1. This vulnerability allows authenticated attackers to inject malicious scripts that are executed in the browsers of users viewing the affected content. The issue arises from the application's improper handling of user input in project task comments, where XSS payloads can be inserted and later executed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the comments.

Reproduction

To reproduce this vulnerability, log into an account and create a project. Add a task and open it, then insert a comment containing an XSS payload, such as an iframe tag linking to an external site. Alternatively, XSS can be injected by an admin user through the application configuration settings, such as the copyright text field, using an image tag with an event handler.