CVE-2020-25359

Name of the Vulnerable Software and Affected Versions: rConfig versions 3.9.5

Description: An arbitrary file deletion issue allows attackers to delete files by sending a crafted request to "/lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php" and specifying a path in the path parameter and an extension in the ext parameter. This enables the deletion of all files with the specified extension in the given path.

Recommendations: For rConfig version 3.9.5, update to version 3.9.6 to resolve the issue. As a temporary workaround, consider restricting access to the "/lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php" endpoint until the update is applied. Avoid using the path and ext parameters in the affected API endpoint until the issue is resolved.