CVE-2019-16662

Name of the Vulnerable Software and Affected Versions rConfig version 3.9.2

Description An issue allows an attacker to directly execute system commands by sending a GET request to "ajaxServerSettingsChk.php" because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.

Recommendations For rConfig version 3.9.2, as a temporary workaround, consider restricting access to the "ajaxServerSettingsChk.php" endpoint until a patch is available. Avoid using the rootUname parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.