CVE-2020-12256

MEDIUM NUCLEI

Rconfig - XSS

Title source: rule

Description

rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit this by crafting arbitrary JavaScript in the deviceId GET parameter to devicemgmnt.php.

Nuclei Templates (1)

rConfig 3.9.4 - Cross-Site Scripting

MEDIUMVERIFIEDby r3Y3r53

Shodan: http.title:"rConfig" || http.title:"rconfig"

FOFA: title="rconfig"

References (1)

[Exploit, Third Party Advisory] https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8

Scores

CVSS v3 5.4

EPSS 0.5490

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

rconfig/rconfig 3.9.4

Published May 18, 2020

Tracked Since Feb 18, 2026