CVE-2020-10546

Critical

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are…

mitre·CWE-89·Published 2020-06-04

CVSS

9.8

EPSS

0.87

KEV

Exploits

cve.orgen

264 chars

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

NVDen

264 chars

NVDes

334 chars

rConfig versiones 3.9.4 y anteriores, presenta una inyección SQL sin autentificar del archivo compliancepolicies.inc.php. Dado que, por defecto, las contraseñas de los nodos son almacenadas en texto sin cifrar, esta vulnerabilidad conlleva un movimiento lateral que permite a un atacante acceder a los dispositivos de red monitoreados

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	7.5	10.0	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
3.1	Primary	NVD	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H