<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rukovoditel - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/rukovoditel/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/rukovoditel/feed.xml" rel="self" type="application/rss+xml"/><item><title>Rukovoditel CRM Reflected XSS Vulnerability (CVE-2026-31845)</title><link>https://feed.craftedsignal.io/briefs/2024-01-rukovoditel-xss/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-rukovoditel-xss/</guid><description>A reflected XSS vulnerability in Rukovoditel CRM version 3.6.4 and earlier allows unauthenticated attackers to inject malicious JavaScript by reflecting the 'zd_echo' GET parameter, leading to potential session hijacking and account takeover.</description><content:encoded><![CDATA[<p>Rukovoditel CRM version 3.6.4 and earlier is vulnerable to a reflected cross-site scripting (XSS) attack. This vulnerability resides in the Zadarma telephony API endpoint (/api/tel/zadarma.php), where the application unsafely reflects the 'zd_echo' GET parameter directly into the HTTP response. This direct reflection, without proper sanitization, output encoding, or content-type restrictions, allows for the injection of arbitrary JavaScript code. An unauthenticated attacker can craft malicious URLs containing XSS payloads to exploit this vulnerability. The vulnerability was reported on 2026-04-11. Rukovoditel CRM is a web-based application, making this a potentially widespread vulnerability affecting any installations running the vulnerable version. Defenders should prioritize patching and implement mitigations to prevent exploitation. The vulnerability is fixed in version 3.7.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker crafts a malicious URL containing a JavaScript payload within the <code>zd_echo</code> GET parameter, targeting the <code>/api/tel/zadarma.php</code> endpoint. For example: <code>/api/tel/zadarma.php?zd_echo=&lt;script&gt;alert('XSS')&lt;/script&gt;</code>.</li>
<li>The attacker distributes the malicious URL via email, social media, or other channels to a potential victim.</li>
<li>The victim, unaware of the malicious intent, clicks on the crafted URL.</li>
<li>The victim's browser sends an HTTP GET request to the Rukovoditel CRM server, including the malicious <code>zd_echo</code> parameter.</li>
<li>The Rukovoditel CRM server receives the request and, due to the vulnerability, directly reflects the JavaScript payload from the <code>zd_echo</code> parameter into the HTTP response without proper sanitization.</li>
<li>The server sends the HTTP response containing the attacker's JavaScript payload back to the victim's browser. The Content-Type of the response may not be properly set to prevent script execution.</li>
<li>The victim's browser executes the injected JavaScript code within the context of the Rukovoditel CRM application.</li>
<li>The attacker's JavaScript payload can then perform actions such as stealing cookies, redirecting the user to a phishing site, or modifying the content of the page. This can lead to session hijacking, credential theft, or account takeover.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this reflected XSS vulnerability can have severe consequences. An attacker can hijack user sessions, potentially gaining unauthorized access to sensitive data within the Rukovoditel CRM system. Credential theft is also possible, allowing the attacker to directly compromise user accounts. Furthermore, the attacker could use the XSS vulnerability to redirect users to phishing sites, tricking them into revealing their login credentials or other personal information. Account takeover could lead to complete control over the CRM data, affecting customer relationships and business operations. While the specific number of victims is unknown, any organization using Rukovoditel CRM version 3.6.4 or earlier is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade Rukovoditel CRM to version 3.7 or later to address the vulnerability.</li>
<li>Deploy the provided Sigma rule <code>Detect Rukovoditel CRM XSS Attempt</code> to monitor for exploitation attempts targeting the <code>/api/tel/zadarma.php</code> endpoint.</li>
<li>Implement a web application firewall (WAF) rule to filter requests containing potentially malicious JavaScript payloads in the <code>zd_echo</code> parameter.</li>
<li>Enable proper input validation and output encoding on all user-supplied input fields within the Rukovoditel CRM application, following secure coding practices to prevent future XSS vulnerabilities.</li>
<li>Educate users about the risks of clicking on suspicious links and the importance of verifying the authenticity of URLs before visiting them.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>rukovoditel</category><category>xss</category><category>cve-2026-31845</category><category>web-application</category></item></channel></rss>