CVE-2020-10547

Name of the Vulnerable Software and Affected Versions rConfig versions 3.9.4 and earlier

Description The issue is related to an unauthenticated SQL injection in compliancepolicyelements.inc.php, which can lead to lateral movement. Since nodes' passwords are stored in cleartext by default, an attacker can gain access to monitored network devices.

Recommendations For versions 3.9.4 and earlier, update to a version that addresses this issue to prevent SQL injection and lateral movement. As a temporary workaround, consider restricting access to the compliancepolicyelements.inc.php file until a patch is available. Avoid using cleartext storage for nodes' passwords to minimize the risk of exploitation.