Rconfig: >> Rconfig >> 3.9.5 Security Vulnerabilities
rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.php script using the sortBy parameter, which could allow the attacker to view, add, modify, or delete information in the back-end database.
CVSS Score
8.8
EPSS Score
0.004
Published
2020-07-28
rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.crud.php script using the custom_Location parameter, which could allow the attacker to view, add, modify, or delete information in the back-end database.
CVSS Score
8.8
EPSS Score
0.004
Published
2020-07-28
rConfig 3.9.5 could allow a remote authenticated attacker to execute arbitrary code on the system, because of an error in the search.crud.php script. An attacker could exploit this vulnerability using the nodeId parameter.
CVSS Score
9.9
EPSS Score
0.027
Published
2020-07-28
rConfig 3.9.5 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a crafted request to the ajaxGetFileByPath.php script containing hexadecimal encoded "dot dot" sequences (%2f..%2f) in the path parameter to view arbitrary files on the system.
CVSS Score
4.3
EPSS Score
0.001
Published
2020-07-28
Page 2