cbcvebase.
CVE-2020-12256
published 2020-05-18

CVE-2020-12256: rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit this by crafting arbitrary…

PriorityP351medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
92.80%
99.8th percentile
rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit this by crafting arbitrary JavaScript in the deviceId GET parameter to devicemgmnt.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig

Detection & IOCsextracted from sources · hover to see the quote

url/devicemgmt.php?deviceId=">alert(document.domain)
path/devicemgmt.php
path/lib/crud/userprocess.php
path/login.php
cookiePHPSESSID
  • Detect XSS exploitation attempts by monitoring GET requests to /devicemgmt.php containing script injection patterns (e.g., '">', '<script', 'alert(') in the deviceId parameter.
  • Match HTTP response body containing both 'alert(document.domain)' and 'rConfig - Configuration Management' with a 200 status code as a confirmed exploitation indicator.
  • Use Shodan/FOFA queries 'http.title:"rConfig"' or 'title="rconfig"' to identify exposed rConfig instances for proactive scanning.
  • Monitor POST requests to /lib/crud/userprocess.php with parameters 'user', 'pass', and 'sublogin=1' as part of the authenticated attack chain preceding XSS exploitation.
  • Session fixation (CVE-2020-12258) can be chained with this XSS; monitor for PHPSESSID reuse across sessions on rConfig instances.
  • ·Exploitation requires prior authentication; the attack chain involves logging in via /lib/crud/userprocess.php before triggering the XSS in /devicemgmt.php.
  • ·The vulnerable parameter name is spelled 'deviceId' in the URL/template but referenced as 'devicemgmnt.php' (with an extra 'n') in the prose description — both refer to the same endpoint.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.