CVE-2020-10879

Name of the Vulnerable Software and Affected Versions: rConfig versions prior to 3.9.5

Description: The issue is related to a lack of proper neutralization of special elements used in operating system commands. This can be exploited by a remote attacker using a specially crafted GET request, allowing them to execute arbitrary commands on the target system. The nodeId parameter in lib/crud/search.crud.php is passed directly to the exec function without being escaped, leading to command injection.

Recommendations: For versions prior to 3.9.5, update to version 3.9.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the lib/crud/search.crud.php file to minimize the risk of exploitation. Avoid using the nodeId parameter in the affected API endpoint until the issue is resolved.