CVE-2020-12255

Published: May 18, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

rConfig 3.9.4 is vulnerable to remote code execution due to improper validation in the file upload functionality. vendor.crud.php accepts a file upload by checking content-type without considering the file extension and header. Thus, an attacker can exploit this by uploading a .php file to vendor.php that contains arbitrary PHP code and changing the content-type to image/gif.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://gist.github.com/farid007/9f6ad063645d5b1550298c8b9ae953ff

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-12255

Description

Affected Products

References