CVE-2019-19509

Name of the Vulnerable Software and Affected Versions rConfig version 3.9.3

Description The issue is related to errors in handling HTTP requests in the ajaxArchiveFiles.php component of the rConfig utility for managing network device configurations. Exploitation of this issue may allow a remote attacker to execute arbitrary commands in the target system by sending specially crafted GET requests. The path parameter is passed to the exec function without filtering, which can lead to command execution. A remote authenticated user can directly execute system commands by sending a GET request to "ajaxArchiveFiles.php".

Recommendations For rConfig version 3.9.3, consider disabling the ajaxArchiveFiles.php component or restricting access to it until a patch is available. As a temporary workaround, avoid using the path parameter in the affected "ajaxArchiveFiles.php" endpoint to minimize the risk of exploitation.