Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Rconfig
(Rconfig)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 44 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-11-13 | CVE-2020-13638 | lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7. | Rconfig | 9.8 | ||
| 2021-08-09 | CVE-2020-23148 | The userLogin parameter in ldap/login.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a LDAP injection and obtain sensitive information via a crafted POST request. | Rconfig | 7.5 | ||
| 2021-08-09 | CVE-2020-23149 | The dbName parameter in ajaxDbInstall.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a SQL injection and access sensitive database information. | Rconfig | 7.5 | ||
| 2021-08-09 | CVE-2020-23150 | A SQL injection vulnerability in config.inc.php of rConfig 3.9.5 allows attackers to access sensitive database information via a crafted GET request to install/lib/ajaxHandlers/ajaxDbInstall.php. | Rconfig | 7.5 | ||
| 2021-08-09 | CVE-2020-23151 | rConfig 3.9.5 allows command injection by sending a crafted GET request to lib/ajaxHandlers/ajaxArchiveFiles.php since the path parameter is passed directly to the exec function without being escaped. | Rconfig | 9.8 | ||
| 2021-08-20 | CVE-2020-25351 | An information disclosure vulnerability in rConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote authenticated attackers to read files on the system via a crafted request sent to to the /lib/crud/configcompare.crud.php script. | Rconfig | 6.5 | ||
| 2021-08-20 | CVE-2020-25352 | A stored cross-site scripting (XSS) vulnerability in the /devices.php function inrConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote attackers to perform arbitrary Javascript execution through entering a crafted payload into the 'Model' field then saving. | Rconfig | 5.4 | ||
| 2021-08-20 | CVE-2020-25353 | A server-side request forgery (SSRF) vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability allowed remote authenticated attackers to open a connection to the machine via the deviceIpAddr and connPort parameters. | Rconfig | 6.5 | ||
| 2021-08-20 | CVE-2020-25359 | An arbitrary file deletion vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability gave attackers the ability to send a crafted request to /lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php by specifying a path in the path parameter and an extension in the ext parameter and delete all the files with that extension in that path. | Rconfig | 9.1 | ||
| 2021-08-20 | CVE-2020-27464 | An insecure update feature in the /updater.php component of rConfig 3.9.6 and below allows attackers to execute arbitrary code via a crafted ZIP file. | Rconfig | 7.8 |