CVE-2019-6961

Name of the Vulnerable Software and Affected Versions RDK RDKB-20181217-1 WebUI module (affected versions not specified)

Description The issue concerns incorrect access control in the actionHandlerUtility.php file, allowing a logged-in user to modify privileged configurations, such as DDNS, QoS, and RIP, by sending an HTTP POST request to the PHP backend. This is possible because the page filtering for non-superusers, implemented in header.php, only applies to GET requests and not to direct AJAX calls.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.