Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
rconfig vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2020-13638
lib/crud/userprocess.php in rConfig 3.9.x prior to 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.
Rconfig Rconfig
8.8
CVSSv3
CVE-2020-13778
rConfig 3.9.4 and previous versions allows authenticated code execution (of system commands) by sending a forged GET request to lib/ajaxHandlers/ajaxAddTemplate.php or lib/ajaxHandlers/ajaxEditTemplate.php.
Rconfig Rconfig
7.5
CVSSv3
CVE-2019-19372
A downloadFile.php download_file path traversal vulnerability in rConfig up to and including 3.9.3 allows malicious users to list files in arbitrary folders and potentially download files. NOTE: the discoverer later reported that there was not a "fully working exploit.
Rconfig Rconfig
9.8
CVSSv3
CVE-2020-10220
An issue exists in rConfig up to and including 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
Rconfig Rconfig
2 EDB exploits
2 Github repositories
9.8
CVSSv3
CVE-2020-10546
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Rconfig Rconfig
9.8
CVSSv3
CVE-2020-10547
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Rconfig Rconfig
9.8
CVSSv3
CVE-2020-10548
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Rconfig Rconfig
9.8
CVSSv3
CVE-2020-10549
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Rconfig Rconfig
7.5
CVSSv3
CVE-2020-9425
An issue exists in includes/head.inc.php in rConfig prior to 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application was not exiting after a redirect is applied, the rest of the page still executed, re...
Rconfig Rconfig
9.8
CVSSv3
CVE-2020-10879
rConfig prior to 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the exec function without being escaped.
Rconfig Rconfig
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
cross-site request forgery
CVE-2024-34351
CVE-2024-1076
CVE-2024-25522
CVE-2024-34547
CVE-2024-4644
unauthorized
remote
CVE-2024-4671
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
NEXT »