CVE-2023-39110

Name of the Vulnerable Software and Affected Versions rconfig version 3.9.4

Description The issue allows authenticated attackers to make arbitrary requests via injection of crafted URLs, exploiting a Server-Side Request Forgery (SSRF) vulnerability. This is achieved through the path parameter at the "/ajaxGetFileByPath.php" API endpoint.

Recommendations For version 3.9.4, consider restricting access to the "/ajaxGetFileByPath.php" API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the path parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.