CVE List

CVE-2020-9425

Critical 7.5

An issue was discovered in includes/head.inc.php in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application was not exiting after a redirect is applied, the rest of the page still executed, resulting in the disclosure of cleartext credentials in the response.

Published March 20, 2020.

Affected software

Rconfig Rconfig

Reference links

Sign Up for Alerts