CVE-2019-19372

Name of the Vulnerable Software and Affected Versions rConfig versions 3.9.3 and earlier

Description A downloadFile.php download file path traversal issue allows attackers to list files in arbitrary folders and potentially download files. The discoverer reported that there was not a fully working exploit.

Recommendations For versions 3.9.3 and earlier, consider restricting access to the downloadFile.php file until a patch is available. As a temporary workaround, limit the ability to list files in arbitrary folders to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.