CVE-2019-6961

MEDIUM

RDK RDKB-20181217-1 WebUI - Privilege Escalation

Title source: llm
STIX 2.1

Description

Incorrect access control in actionHandlerUtility.php in the RDK RDKB-20181217-1 WebUI module allows a logged in user to control DDNS, QoS, RIP, and other privileged configurations (intended only for the network operator) by sending an HTTP POST to the PHP backend, because the page filtering for non-superuser (in header.php) is done only for GET requests and not for direct AJAX calls.

References (1)

Core 1
Core References

Scores

CVSS v3 6.5
EPSS 0.0093
EPSS Percentile 56.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-862
Status published
Products (1)
rdkcentral/rdkb_ccsppandm rdkb-20181217-1
Published Jun 20, 2019
Tracked Since Feb 18, 2026