CVE-2021-29004

Name of the Vulnerable Software and Affected Versions: rConfig version 3.9.6

Description: The issue allows for SQL Injection, requiring the attacker to be authenticated to exploit the vulnerability. If the --secure-file-priv option in the MySQL server is not set and the MySQL server is the same as the rConfig server, an attacker may successfully upload a webshell to the server and access it remotely.

Recommendations: For rConfig version 3.9.6, consider disabling access to the MySQL server until a patch is available, and ensure the --secure-file-priv option is properly set to prevent webshell uploads. Restrict access to the rConfig application to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.