CVE-2020-15713
HIGHrConfig 3.9.5 - Authenticated SQL Injection via devices.php sortBy Parameter
Title source: llmDescription
rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.php script using the sortBy parameter, which could allow the attacker to view, add, modify, or delete information in the back-end database.
References (2)
Core 2
Core References
VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/184939
Release Notes, Vendor Advisory x_refsource_misc
https://www.rconfig.com/downloads/v3-release-notes
Scores
CVSS v3
8.8
EPSS
0.0279
EPSS Percentile
84.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
rconfig/rconfig
3.9.5
Published
Jul 28, 2020
Tracked Since
Feb 18, 2026