E20-7u391
CVSS:
8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
False Positive:
f
Variants:
6
Year:
2019
Description
An OS Command Injection exists in rConfig 3.9.3 and prior versions as a result of no sanitization of user supplied data.
The parameter processed in 'ajaxArchiveFiles.php' is then used as a command line argument within a privileged command.
By sending a crafted 'path' parameter to '/lib/ajaxHandlers/ajaxArchiveFiles.php' path, a remote authenticated attacker may execute arbitrary OS commands as a superuser.