CVE-2020-12256
published 2020-05-18CVE-2020-12256: rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit this by crafting arbitrary…
PriorityP351medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
92.80%
99.8th percentile
rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit this by crafting arbitrary JavaScript in the deviceId GET parameter to devicemgmnt.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rconfig | rconfig | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect XSS exploitation attempts by monitoring GET requests to /devicemgmt.php containing script injection patterns (e.g., '">', '<script', 'alert(') in the deviceId parameter. ↗
- →Match HTTP response body containing both 'alert(document.domain)' and 'rConfig - Configuration Management' with a 200 status code as a confirmed exploitation indicator. ↗
- →Use Shodan/FOFA queries 'http.title:"rConfig"' or 'title="rconfig"' to identify exposed rConfig instances for proactive scanning. ↗
- →Monitor POST requests to /lib/crud/userprocess.php with parameters 'user', 'pass', and 'sublogin=1' as part of the authenticated attack chain preceding XSS exploitation. ↗
- →Session fixation (CVE-2020-12258) can be chained with this XSS; monitor for PHPSESSID reuse across sessions on rConfig instances. ↗
- ·Exploitation requires prior authentication; the attack chain involves logging in via /lib/crud/userprocess.php before triggering the XSS in /devicemgmt.php. ↗
- ·The vulnerable parameter name is spelled 'deviceId' in the URL/template but referenced as 'devicemgmnt.php' (with an extra 'n') in the prose description — both refer to the same endpoint. ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cw43-3hjf-j7v7: rConfig 3
ghsa_unreviewed·2022-05-24
CVE-2020-12256 [LOW] GHSA-cw43-3hjf-j7v7: rConfig 3
rConfig 3.9.4 is vulnerable to reflected XSS. The devicemgmnt.php file improperly validates user input. An attacker can exploit this by crafting arbitrary JavaScript in the deviceId GET parameter to devicemgmnt.php.
GHSA
GHSA-cqx4-jqpq-wx8p: rConfig 3
ghsa_unreviewed·2022-05-24·CVSS 5.4
CVE-2020-12258 [MEDIUM] GHSA-cqx4-jqpq-wx8p: rConfig 3
rConfig 3.9.4 is vulnerable to session fixation because session expiry and randomization are mishandled. The application can reuse a session via PHPSESSID. Also, an attacker can exploit this vulnerability in conjunction with CVE-2020-12256 or CVE-2020-12259.
No detection rules found.
Nuclei
rConfig 3.9.4 - Cross-Site Scripting
nuclei·CVSS 5.4
CVE-2020-12256 [MEDIUM] rConfig 3.9.4 - Cross-Site Scripting
rConfig 3.9.4 - Cross-Site Scripting
The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript in `deviceId` GET parameter of devicemgmnt.php resulting in execution of the javascript.
Template:
id: CVE-2020-12256
info:
name: rConfig 3.9.4 - Cross-Site Scripting
author: r3Y3r53
severity: medium
description: |
The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript in `deviceId` GET parameter of devicemgmnt.php resulting in execution
No writeups or analysis indexed.
2020-05-18
Published