Vulnerabilities > CVE-2020-25359 - Missing Authorization vulnerability in Rconfig 3.9.5

CVSS 9.1 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

rconfig

CWE-862

critical

NVD

Published: 2021-08-20

Updated: 2022-10-05

Summary

An arbitrary file deletion vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability gave attackers the ability to send a crafted request to /lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php by specifying a path in the path parameter and an extension in the ext parameter and delete all the files with that extension in that path.

Vulnerable Configurations

Part	Description	Count
Application	Rconfig Rconfig Rconfig 3.9.5	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://stark0de.com/2020/08/27/pwning-rconfig-part-one.html
https://cwe.mitre.org/data/definitions/36.html