PT-2020-13077 · Rconfig · Rconfig
Farid007
·
Published
2020-05-18
·
Updated
2020-05-18
·
CVE-2020-12256
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
rConfig version 3.9.4
Description
The issue concerns improper validation of user input in the devicemgmnt.php file, allowing for reflected XSS attacks. An attacker can exploit this by crafting arbitrary JavaScript in the
deviceId GET parameter to the "devicemgmnt.php" endpoint.Recommendations
For version 3.9.4, consider disabling the
devicemgmnt.php file or restricting access to it until a patch is available. Avoid using the deviceId parameter in the affected endpoint until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rconfig