Rukovoditel up to and including 2.4.1 allows XSS via a URL that lacks a module=users%2flogin substring.
rukovoditel rukovoditel