CVE-2023-39108

Name of the Vulnerable Software and Affected Versions rconfig version 3.9.4

Description The issue allows authenticated attackers to make arbitrary requests via injection of crafted URLs, exploiting a Server-Side Request Forgery (SSRF) vulnerability. This is achieved through the path b parameter in the doDiff function of the /classes/compareClass.php endpoint.

Recommendations For version 3.9.4, consider restricting access to the /classes/compareClass.php endpoint or disabling the doDiff function until a patch is available. Avoid using the path b parameter in the affected endpoint to minimize the risk of exploitation.