Vikingfr

**Name of the Vulnerable Software and Affected Versions** rConfig versions 3.9.4 and earlier **Description** The issue allows authenticated code execution of system commands by sending a forged GET request to specific API endpoints, such as "lib/ajaxHandlers/ajaxAddTemplate.php" or "lib/ajaxHandlers/ajaxEditTemplate.php". **Recommendations** For versions 3.9.4 and earlier, consider disabling access to the "lib/ajaxHandlers/ajaxAddTemplate.php" and "lib/ajaxHandlers/ajaxEditTemplate.php" API endpoints until a patch is available. Restrict authenticated users' ability to send forged GET requests to these endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** rConfig versions 3.9.4 and earlier **Description** The issue is related to a lack of protection against SQL query structure exploitation in the commands.inc.php component of the rConfig utility for managing network device configurations. This can be exploited by a remote attacker using a specially crafted GET request, potentially allowing the execution of arbitrary commands. The web interface is prone to SQL injection via the `searchColumn` parameter. **Recommendations** For rConfig versions 3.9.4 and earlier, consider disabling the `searchColumn` parameter in the commands.inc.php component as a temporary workaround until a patch is available. Restrict access to the commands.inc.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** rConfig version 3.9.3 **Description** The issue is related to errors in handling HTTP requests in the ajaxArchiveFiles.php component of the rConfig utility for managing network device configurations. Exploitation of this issue may allow a remote attacker to execute arbitrary commands in the target system by sending specially crafted GET requests. The `path` parameter is passed to the `exec` function without filtering, which can lead to command execution. A remote authenticated user can directly execute system commands by sending a GET request to "ajaxArchiveFiles.php". **Recommendations** For rConfig version 3.9.3, consider disabling the `ajaxArchiveFiles.php` component or restricting access to it until a patch is available. As a temporary workaround, avoid using the `path` parameter in the affected "ajaxArchiveFiles.php" endpoint to minimize the risk of exploitation.