rConfig <= 3.9.5 Multiple Vulnerabilities

Published: 2020-05-19 04:38:10
CVE Author: NIST National Vulnerability Database

CVSS Base Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Detection Type:
Remote Banner

Solution Type:
None Available

Summary:
rConfig is prone to multiple vulnerabilities.

Detection Method:
Checks if a vulnerable version is present on the target host.

Technical Details:
rConfig is prone to multiple vulnerabilities: - Remote code execution vulnerability due to improper validation in the file upload functionality (CVE-2020-12255) - Multiple XSS vulnerabilities (CVE-2020-12256, CVE-2020-12259) - CSRF vulnerability (CVE-2020-12257) - Session fixation vulnerability (CVE-2020-12258)

Affected Versions:
rConfig version 3.9.5 and prior.

Recommendations:
No known solution is available as of 19th May, 2020. Information regarding this issue will be updated once solution details are available.

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2020-12255
https://nvd.nist.gov/vuln/detail/CVE-2020-12256
https://nvd.nist.gov/vuln/detail/CVE-2020-12257
https://nvd.nist.gov/vuln/detail/CVE-2020-12258
https://nvd.nist.gov/vuln/detail/CVE-2020-12259

CVE Analysis

https://www.mageni.net/cve/CVE-2020-12255
https://www.mageni.net/cve/CVE-2020-12256
https://www.mageni.net/cve/CVE-2020-12257
https://www.mageni.net/cve/CVE-2020-12258
https://www.mageni.net/cve/CVE-2020-12259

References:

https://gist.github.com/farid007/9f6ad063645d5b1550298c8b9ae953ff
https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
https://gist.github.com/farid007/eb7310749520fb8cdf5942573c9954ef
https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8

Severity
Medium
CVSS Score
6.8
Published
2020-05-19
Modified
2020-05-19
Category
Web application abuses

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.