cbcvebase.
CVE-2020-12259
published 2020-05-18

CVE-2020-12259: rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting…

PriorityP350medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
94.77%
99.8th percentile
rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
rconfigrconfig

Detection & IOCsextracted from sources · hover to see the quote

url/configDevice.php?rid=">alert(document.domain)
path/configDevice.php
path/lib/crud/userprocess.php
urlhttps://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
urlhttps://www.rconfig.com/downloads/rconfig-3.9.4.zip
  • Detect exploitation attempts by monitoring GET requests to /configDevice.php with a 'rid' parameter containing HTML/JS injection characters such as '">' or '<script'.
  • Match HTTP 200 responses to /configDevice.php where the response body contains both 'alert(document.domain)' and 'rConfig - Configuration Management' with content-type text/html — this confirms successful XSS reflection.
  • Identify rConfig instances exposed on the internet using Shodan query 'http.title:"rConfig"' or FOFA query 'title="rconfig"' to find attack surface.
  • The attack requires authentication; monitor for POST requests to /lib/crud/userprocess.php with parameters 'user', 'pass', and 'sublogin=1' immediately preceding requests to /configDevice.php with a malicious 'rid' parameter.
  • This CVE can be chained with CVE-2020-12256 or CVE-2020-12258 (session fixation via PHPSESSID reuse); monitor for session fixation patterns alongside XSS payloads in the rid parameter.
  • ·Exploitation requires prior authentication (PR:L); unauthenticated scanning will not trigger the vulnerable code path.
  • ·The Nuclei template uses a 3-step request chain (GET login, POST credentials, GET payload); single-request detections will miss the vulnerability due to session dependency.
  • ·The reflected XSS payload is confirmed only when the response body contains both the injected string and the page title 'rConfig - Configuration Management'; partial matches may indicate a patched or different version.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.