Vendor
A reflected XSS vulnerability in Rukovoditel CRM version 3.6.4 and earlier allows unauthenticated attackers to inject malicious JavaScript by reflecting the 'zd_echo' GET parameter, leading to potential session hijacking and account takeover.