PT-2019-15783 · Rconfig · Rconfig

Published

2019-11-21

Updated

2019-11-26

CVE-2019-19207

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions rConfig version 3.9.2

Description The issue allows for SQL injection through the devices.php endpoint, specifically when the searchColumn parameter is manipulated. This can potentially lead to unauthorized access or modification of database content.

Recommendations For rConfig version 3.9.2, consider restricting access to the devices.php endpoint until a patch is available, or avoid using the searchColumn parameter in this endpoint to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2019-19207

Affected Products

Rconfig

PT-2019-15783 · Rconfig · Rconfig

CVE-2019-19207

Weakness Enumeration

Related Identifiers

Affected Products

References · 3