Primary

Context

Rukovoditel CSV Injection Vulnerability

Vulnerability

A CSV injection vulnerability has been identified in Rukovoditel version 3.3.1. This vulnerability allows authenticated users to inject malicious formulas into the firstname field. When an admin exports customer data as a CSV file, these injected formulas can be executed, leading to potential code execution on the admin's computer.

Impact

Exploitation of this vulnerability allows for CSV injection, where injected formulas are executed when the CSV file is opened.

Reproduction

To reproduce this vulnerability, log in as a user and navigate to the 'My Account' section. Inject a payload such as '=calc|a!z|' into the firstname field. When an admin exports customer data as a CSV file, the injected formula will be executed, opening the calculator application on the admin's computer.

Added: Dec 17, 2025, 11:42 PM

Updated: Dec 17, 2025, 11:42 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

6.3

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

2.5

exploitability

6.3

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Rukovoditel CSV Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Rukovoditel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating