CVE-2019-7541

Rukovoditel through 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring.
Source: NIST
CVE-2019-7541