Product
rconfig
44 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2023-39110
CVE-2023-39109
CVE-2023-39108
CVE-2022-45030
CVE-2023-24366
CVE-2022-44384
CVE-2021-29006
CVE-2021-29005
CVE-2021-29004
CVE-2020-27466
CVE-2020-27464
CVE-2020-25359
CVE-2020-25353
CVE-2020-25352
CVE-2020-25351
CVE-2020-23151
CVE-2020-23150
CVE-2020-23149
CVE-2020-23148
CVE-2020-13638
CVE-2020-13778
CVE-2020-15715
CVE-2020-15714
CVE-2020-15713
CVE-2020-15712
CVE-2020-10549
CVE-2020-10548
CVE-2020-10547
CVE-2020-10546
CVE-2020-12256
CVE-2020-12255
CVE-2020-12258
CVE-2020-12257
CVE-2020-12259
CVE-2020-10879
CVE-2020-9425
CVE-2020-10221
CVE-2020-10220
CVE-2019-19585
CVE-2019-19509
CVE-2019-19372
CVE-2019-19207
CVE-2019-16663
CVE-2019-16662
all versions
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. Th
all versions
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_a parameter in the doDiff Function of /
all versions
rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /
all versions
A SQL injection vulnerability in rConfig 3.9.7 exists via lib/ajaxHandlers/ajaxCompareGetCmdDates.php?command= (this may interact
all versions
An arbitrary file download vulnerability in rConfig v6.8.0 allows attackers to download sensitive files via a crafted HTTP request
all versions
An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file.
all versions
rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. An authenticated user may successfully download any file on th
all versions
Insecure permission of chmod command on rConfig server 3.9.6 exists. After installing rConfig apache user may execute chmod as roo
all versions
rConfig 3.9.6 is affected by SQL Injection. A user must be authenticated to exploit the vulnerability. If --secure-file-priv in My
all versions
An arbitrary file write vulnerability in lib/AjaxHandlers/ajaxEditTemplate.php of rConfig 3.9.6 allows attackers to execute arbitr
<= 3.9.6
An insecure update feature in the /updater.php component of rConfig 3.9.6 and below allows attackers to execute arbitrary code via
all versions
An arbitrary file deletion vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability gave attackers the ability
all versions
A server-side request forgery (SSRF) vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability allowed remote au
all versions
A stored cross-site scripting (XSS) vulnerability in the /devices.php function inrConfig 3.9.5 has been fixed for version 3.9.6. T
all versions
An information disclosure vulnerability in rConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote authe
all versions
rConfig 3.9.5 allows command injection by sending a crafted GET request to lib/ajaxHandlers/ajaxArchiveFiles.php since the path pa
all versions
A SQL injection vulnerability in config.inc.php of rConfig 3.9.5 allows attackers to access sensitive database information via a c
all versions
The dbName parameter in ajaxDbInstall.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a SQL injection and acces
all versions
The userLogin parameter in ldap/login.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a LDAP injection and obta
>= 3.9.0 and < 3.9.7
lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. Th
<= 3.9.4
rConfig 3.9.4 and earlier allows authenticated code execution (of system commands) by sending a forged GET request to lib/ajaxHand
all versions
rConfig 3.9.5 could allow a remote authenticated attacker to execute arbitrary code on the system, because of an error in the sear
all versions
rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.cru
all versions
rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.php
all versions
rConfig 3.9.5 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a crafted
<= 3.9.4
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are
<= 3.9.4
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are s
<= 3.9.4
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes
<= 3.9.4
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' pass
all versions
rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit th
all versions
rConfig 3.9.4 is vulnerable to remote code execution due to improper validation in the file upload functionality. vendor.crud.php
all versions
rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. The application can reuse
all versions
rConfig 3.9.4 is vulnerable to cross-site request forgery (CSRF) because it lacks implementation of CSRF protection such as a CSRF
all versions
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit t
< 3.9.5
rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parame
< 3.9.4
An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext
<= 3.9.4
lib/ajaxHandlers/ajaxAddTemplate.php in rConfig through 3.94 allows remote attackers to execute arbitrary OS commands via shell me
<= 3.9.4
An issue was discovered in rConfig through 3.9.4. The web interface is prone to a SQL injection via the commands.inc.php searchCol
all versions
An issue was discovered in rConfig 3.9.3. The install script updates the /etc/sudoers file for rconfig specific tasks. After an "r
all versions
An issue was discovered in rConfig 3.9.3. A remote authenticated user can directly execute system commands by sending a GET reques
<= 3.9.3
A downloadFile.php download_file path traversal vulnerability in rConfig through 3.9.3 allows attackers to list files in arbitrary
all versions
rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.
all versions
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to search.crud
all versions
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerS