CVE-2020-15713

HIGH

rConfig 3.9.5 - Authenticated SQL Injection via devices.php sortBy Parameter

Title source: llm
STIX 2.1

Description

rConfig 3.9.5 is vulnerable to SQL injection. A remote authenticated attacker could send crafted SQL statements to the devices.php script using the sortBy parameter, which could allow the attacker to view, add, modify, or delete information in the back-end database.

References (2)

Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.rconfig.com/downloads/v3-release-notes

Scores

CVSS v3 8.8
EPSS 0.0279
EPSS Percentile 84.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
rconfig/rconfig 3.9.5
Published Jul 28, 2020
Tracked Since Feb 18, 2026