CVE-2020-10546: SQL Injection
First published: Thu Jun 04 2020(Updated: )
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rConfig rConfig | <=3.9.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-10546?
CVE-2020-10546 is a vulnerability in rConfig 3.9.4 and previous versions that allows unauthenticated SQL injection.
What is the severity of CVE-2020-10546?
The severity of CVE-2020-10546 is critical with a CVSS score of 9.8.
How does CVE-2020-10546 impact the security of the system?
CVE-2020-10546 allows an attacker to perform SQL injection and gain unauthorized access to monitored network devices.
Is CVE-2020-10546 easy to exploit?
Yes, there are public exploits available for CVE-2020-10546.
How can I fix CVE-2020-10546?
To fix CVE-2020-10546, upgrade rConfig to a version higher than 3.9.4 and secure the stored passwords.
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/author
- agent/tags
- agent/type
- agent/event
- agent/references
- agent/description
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/rconfig
- canonical/rconfig rconfig
- version/rconfig rconfig/3.9.4