Skip to main content

Rconfig

31 CVEs product

Monthly

CVE-2023-39110 HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
2.7%
CVE-2023-39109 HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_a parameter in the doDiff Function of /classes/compareClass.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
3.0%
CVE-2023-39108 HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /classes/compareClass.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
3.0%
CVE-2023-24366 MEDIUM POC This Month

An arbitrary file download vulnerability in rConfig v6.8.0 allows attackers to download sensitive files via a crafted HTTP request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Rconfig
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-44384 HIGH POC Act Now

An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Rconfig
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
5.0%
CVE-2021-29006 MEDIUM POC This Month

rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Rconfig
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
7.0%
CVE-2021-29005 HIGH POC This Week

Insecure permission of chmod command on rConfig server 3.9.6 exists. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Apache Rconfig
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
1.8%
CVE-2021-29004 HIGH POC This Week

rConfig 3.9.6 is affected by SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Rconfig
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
2.1%
CVE-2020-13638 CRITICAL POC THREAT Act Now

lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Authentication Bypass PHP Rconfig
NVD
CVSS 3.1
9.8
EPSS
76.8%
CVE-2020-13778 HIGH POC This Week

rConfig 3.9.4 and earlier allows authenticated code execution (of system commands) by sending a forged GET request to lib/ajaxHandlers/ajaxAddTemplate.php or lib/ajaxHandlers/ajaxEditTemplate.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection PHP Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
4.2%
CVE-2020-15715 CRITICAL Act Now

rConfig 3.9.5 could allow a remote authenticated attacker to execute arbitrary code on the system, because of an error in the search.crud.php script. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP Rconfig
NVD
CVSS 3.1
9.9
EPSS
4.2%
CVE-2020-15714 HIGH This Week

rConfig 3.9.5 is vulnerable to SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PHP Rconfig
NVD
CVSS 3.1
8.8
EPSS
2.8%
CVE-2020-15713 HIGH This Week

rConfig 3.9.5 is vulnerable to SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PHP Rconfig
NVD
CVSS 3.1
8.8
EPSS
2.8%
CVE-2020-15712 MEDIUM This Month

rConfig 3.9.5 could allow a remote authenticated attacker to traverse directories on the system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Path Traversal Rconfig
NVD
CVSS 3.1
4.3
EPSS
1.6%
CVE-2020-10549 CRITICAL POC THREAT Act Now

rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD GitHub
CVSS 3.1
9.8
EPSS
36.2%
CVE-2020-10548 CRITICAL POC THREAT Act Now

rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD GitHub
CVSS 3.1
9.8
EPSS
36.1%
CVE-2020-10547 CRITICAL POC THREAT Act Now

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD GitHub
CVSS 3.1
9.8
EPSS
36.1%
CVE-2020-10546 CRITICAL POC THREAT Act Now

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD GitHub
CVSS 3.1
9.8
EPSS
87.3%
CVE-2020-12256 MEDIUM POC THREAT This Month

rConfig 3.9.4 is vulnerable to reflected XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Rconfig
NVD GitHub
CVSS 3.1
5.4
EPSS
95.8%
CVE-2020-12255 HIGH This Week

rConfig 3.9.4 is vulnerable to remote code execution due to improper validation in the file upload functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload RCE PHP Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
52.6%
CVE-2020-12258 CRITICAL Act Now

rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Rconfig
NVD GitHub
CVSS 3.1
9.1
EPSS
1.7%
CVE-2020-12257 HIGH POC This Week

rConfig 3.9.4 is vulnerable to cross-site request forgery (CSRF) because it lacks implementation of CSRF protection such as a CSRF token. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2020-12259 MEDIUM POC THREAT This Month

rConfig 3.9.4 is vulnerable to reflected XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Rconfig
NVD GitHub
CVSS 3.1
5.4
EPSS
94.8%
CVE-2020-10879 CRITICAL POC PATCH THREAT Act Now

rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the exec function without being escaped. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection PHP Rconfig
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
83.9%
CVE-2020-9425 HIGH POC PATCH THREAT This Week

An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure PHP Rconfig
NVD GitHub
CVSS 3.1
7.5
EPSS
16.7%
CVE-2020-10221 HIGH POC KEV THREAT This Week

lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Rconfig
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
36.8%
CVE-2020-10220 CRITICAL POC THREAT Emergency

An issue was discovered in rConfig through 3.9.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
99.7%
CVE-2019-19372 HIGH This Week

A downloadFile.php download_file path traversal vulnerability in rConfig through 3.9.3 allows attackers to list files in arbitrary folders and potentially download files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Path Traversal Rconfig
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2019-19207 HIGH POC THREAT This Week

rConfig 3.9.2 allows devices.php?searchColumn= SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD
CVSS 3.1
8.8
EPSS
22.7%
CVE-2019-16663 HIGH POC THREAT This Week

An issue was discovered in rConfig 3.9.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Rconfig
NVD GitHub
CVSS 3.1
8.8
EPSS
84.7%
CVE-2019-16662 CRITICAL POC THREAT Emergency

An issue was discovered in rConfig 3.9.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Rconfig
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
97.7%
EPSS 3% CVSS 8.8
HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_a parameter in the doDiff Function of /classes/compareClass.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC This Week

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /classes/compareClass.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Rconfig
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

An arbitrary file download vulnerability in rConfig v6.8.0 allows attackers to download sensitive files via a crafted HTTP request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Rconfig
NVD GitHub
EPSS 5% CVSS 8.8
HIGH POC Act Now

An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload +1
NVD Exploit-DB
EPSS 7% CVSS 6.5
MEDIUM POC This Month

rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Rconfig
NVD GitHub VulDB
EPSS 2% CVSS 8.8
HIGH POC This Week

Insecure permission of chmod command on rConfig server 3.9.6 exists. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Apache Rconfig
NVD GitHub VulDB
EPSS 2% CVSS 8.8
HIGH POC This Week

rConfig 3.9.6 is affected by SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Rconfig
NVD GitHub VulDB
EPSS 77% CVSS 9.8
CRITICAL POC THREAT Act Now

lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Authentication Bypass PHP +1
NVD
EPSS 4% CVSS 8.8
HIGH POC This Week

rConfig 3.9.4 and earlier allows authenticated code execution (of system commands) by sending a forged GET request to lib/ajaxHandlers/ajaxAddTemplate.php or lib/ajaxHandlers/ajaxEditTemplate.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Command Injection PHP +1
NVD GitHub
EPSS 4% CVSS 9.9
CRITICAL Act Now

rConfig 3.9.5 could allow a remote authenticated attacker to execute arbitrary code on the system, because of an error in the search.crud.php script. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP Rconfig
NVD
EPSS 3% CVSS 8.8
HIGH This Week

rConfig 3.9.5 is vulnerable to SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PHP Rconfig
NVD
EPSS 3% CVSS 8.8
HIGH This Week

rConfig 3.9.5 is vulnerable to SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi PHP Rconfig
NVD
EPSS 2% CVSS 4.3
MEDIUM This Month

rConfig 3.9.5 could allow a remote authenticated attacker to traverse directories on the system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Path Traversal Rconfig
NVD
EPSS 36% CVSS 9.8
CRITICAL POC THREAT Act Now

rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD GitHub
EPSS 36% CVSS 9.8
CRITICAL POC THREAT Act Now

rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD GitHub
EPSS 36% CVSS 9.8
CRITICAL POC THREAT Act Now

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD GitHub
EPSS 87% CVSS 9.8
CRITICAL POC THREAT Act Now

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD GitHub
EPSS 96% CVSS 5.4
MEDIUM POC THREAT This Month

rConfig 3.9.4 is vulnerable to reflected XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Rconfig
NVD GitHub
EPSS 53% CVSS 8.8
HIGH This Week

rConfig 3.9.4 is vulnerable to remote code execution due to improper validation in the file upload functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload RCE PHP +1
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL Act Now

rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation Information Disclosure Rconfig
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

rConfig 3.9.4 is vulnerable to cross-site request forgery (CSRF) because it lacks implementation of CSRF protection such as a CSRF token. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Rconfig
NVD GitHub
EPSS 95% CVSS 5.4
MEDIUM POC THREAT This Month

rConfig 3.9.4 is vulnerable to reflected XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Rconfig
NVD GitHub
EPSS 84% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the exec function without being escaped. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection PHP Rconfig
NVD GitHub Exploit-DB
EPSS 17% CVSS 7.5
HIGH POC PATCH THREAT This Week

An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure PHP Rconfig
NVD GitHub
EPSS 37% CVSS 8.8
HIGH POC KEV THREAT This Week

lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection PHP Rconfig
NVD GitHub Exploit-DB
EPSS 100% CVSS 9.8
CRITICAL POC THREAT Emergency

An issue was discovered in rConfig through 3.9.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD GitHub Exploit-DB
EPSS 1% CVSS 7.5
HIGH This Week

A downloadFile.php download_file path traversal vulnerability in rConfig through 3.9.3 allows attackers to list files in arbitrary folders and potentially download files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Path Traversal Rconfig
NVD GitHub
EPSS 23% CVSS 8.8
HIGH POC THREAT This Week

rConfig 3.9.2 allows devices.php?searchColumn= SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Rconfig
NVD
EPSS 85% CVSS 8.8
HIGH POC THREAT This Week

An issue was discovered in rConfig 3.9.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Rconfig
NVD GitHub
EPSS 98% CVSS 9.8
CRITICAL POC THREAT Emergency

An issue was discovered in rConfig 3.9.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Rconfig
NVD GitHub Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy