CVE-2020-12259

Name of the Vulnerable Software and Affected Versions rConfig version 3.9.4

Description The issue concerns improper validation of user input in the configDevice.php file, allowing for reflected XSS attacks. An attacker can exploit this by crafting arbitrary JavaScript in the rid GET parameter of the "devicemgmnt.php" endpoint.

Recommendations For rConfig version 3.9.4, consider restricting access to the configDevice.php file and the devicemgmnt.php endpoint until a patch is available. As a temporary workaround, avoid using the rid parameter in the devicemgmnt.php endpoint to minimize the risk of exploitation.