CVE-2020-10221

Name of the Vulnerable Software and Affected Versions rConfig versions 3.94 and earlier

Description The issue exists in the lib/ajaxHandlers/ajaxAddTemplate.php component of the rConfig utility for managing network device configurations, due to the lack of measures to neutralize special elements used in operating system commands. This allows a remote attacker to execute arbitrary operating system commands through the fileName parameter in a POST request.

Recommendations For versions 3.94 and earlier, consider disabling the ajaxAddTemplate.php component until a patch is available to prevent exploitation. Restrict access to the fileName parameter in the POST request to minimize the risk of arbitrary OS command execution.