CVE-2019-7541

Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring.

Source: CVE-2019-7541