Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
rconfig rconfig vulnerabilities and exploits
(subscribe to this query)
8.8
CVSSv3
CVE-2020-10221
lib/ajaxHandlers/ajaxAddTemplate.php in rConfig up to and including 3.94 allows remote malicious users to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter.
Rconfig Rconfig
1 EDB exploit
1 Github repository
7.5
CVSSv3
CVE-2020-9425
An issue exists in includes/head.inc.php in rConfig prior to 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application was not exiting after a redirect is applied, the rest of the page still executed, re...
Rconfig Rconfig
9.8
CVSSv3
CVE-2020-10879
rConfig prior to 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the exec function without being escaped.
Rconfig Rconfig
7.8
CVSSv3
CVE-2020-27464
An insecure update feature in the /updater.php component of rConfig 3.9.6 and below allows malicious users to execute arbitrary code via a crafted ZIP file.
Rconfig Rconfig
9.8
CVSSv3
CVE-2020-10546
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Rconfig Rconfig
9.8
CVSSv3
CVE-2020-10547
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Rconfig Rconfig
9.8
CVSSv3
CVE-2020-10548
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Rconfig Rconfig
9.8
CVSSv3
CVE-2020-10549
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Rconfig Rconfig
7.5
CVSSv3
CVE-2019-19372
A downloadFile.php download_file path traversal vulnerability in rConfig up to and including 3.9.3 allows malicious users to list files in arbitrary folders and potentially download files. NOTE: the discoverer later reported that there was not a "fully working exploit.
Rconfig Rconfig
9.8
CVSSv3
CVE-2020-10220
An issue exists in rConfig up to and including 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchColumn parameter.
Rconfig Rconfig
2 EDB exploits
2 Github repositories
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
SSTI
CVE-2024-35863
CVE-2024-35910
man-in-the-middle
CVE-2024-35912
CVE-2024-25742
LFI
CVE-2024-32002
CVE-2024-22120
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
NEXT »