CVE-2020-10549

Name of the Vulnerable Software and Affected Versions rConfig versions 3.9.4 and previous versions

Description The issue is related to an unauthenticated SQL injection in snippets.inc.php, which can lead to lateral movement. Since nodes' passwords are stored in cleartext by default, an attacker can gain access to monitored network devices.

Recommendations For rConfig versions 3.9.4 and previous versions, consider restricting access to the snippets.inc.php file as a temporary workaround until a patch is available. Additionally, changing the default password storage to a more secure method can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.