rConfig 3.9.6

CPE Details

rConfig 3.9.6
rconfig
rconfig
3.9.6
2021-08-21
01h57 +00:00
2022-11-04
21h50 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:rconfig:rconfig:3.9.6:*:*:*:*:*:*:*

Informations

Vendor

rconfig

Product

rconfig

Version

3.9.6

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2022-44384 2022-11-17 00h00 +00:00 An arbitrary file upload vulnerability in rconfig v3.9.6 allows attackers to execute arbitrary code via a crafted PHP file.
8.8
High
CVE-2021-29005 2021-10-11 10h04 +00:00 Insecure permission of chmod command on rConfig server 3.9.6 exists. After installing rConfig apache user may execute chmod as root without password which may let an attacker with low privilege to gain root access on server.
8.8
High
CVE-2021-29006 2021-10-11 10h02 +00:00 rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. An authenticated user may successfully download any file on the server.
6.5
Medium
CVE-2021-29004 2021-10-11 09h58 +00:00 rConfig 3.9.6 is affected by SQL Injection. A user must be authenticated to exploit the vulnerability. If --secure-file-priv in MySQL server is not set and the Mysql server is the same as rConfig, an attacker may successfully upload a webshell to the server and access it remotely.
8.8
High
CVE-2020-27466 2021-08-20 16h10 +00:00 An arbitrary file write vulnerability in lib/AjaxHandlers/ajaxEditTemplate.php of rConfig 3.9.6 allows attackers to execute arbitrary code via a crafted file.
7.8
High
CVE-2020-27464 2021-08-20 16h10 +00:00 An insecure update feature in the /updater.php component of rConfig 3.9.6 and below allows attackers to execute arbitrary code via a crafted ZIP file.
7.8
High
CVE-2020-13638 2020-11-13 18h53 +00:00 lib/crud/userprocess.php in rConfig 3.9.x before 3.9.7 has an authentication bypass, leading to administrator account creation. This issue has been fixed in 3.9.7.
9.8
Critical
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.