CVE-2020-10546

Опубликовано: 04 июн. 2020

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Критический

Описание

rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.

Ссылки

https://github.com/theguly/exploits/blob/master/CVE-2020-10546.py
Exploit
Third Party Advisory
https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
Exploit
Third Party Advisory
https://github.com/theguly/exploits/blob/master/CVE-2020-10546.py
Exploit
Third Party Advisory
https://theguly.github.io/2020/09/rconfig-3.9.4-multiple-vulnerabilities/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:rconfig:rconfig:*:*:*:*:*:*:*:*

Версия до 3.9.4 (включая)

EPSS

Процентиль: 100%

0.91387

Критический

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-9xcw-ph39-7c5x

github

больше 3 лет назад