.. / CVE-2020-12256

Exploit for rConfig 3.9.4 - Cross-Site Scripting (CVE-2020-12256)

Description:

The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript in deviceId GET parameter of devicemgmnt.php resulting in execution of the javascript.

Nuclei Template

View the template here CVE-2020-12256.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2020/CVE-2020-12256.yaml

References:

https://gist.github.com/farid007/8855031bad0e497264e4879efb5bc9f8
https://github.com/Elsfa7-110/kenzer-templates
https://www.rconfig.com/downloads/rconfig-3.9.4.zip
https://github.com/ARPSyndicate/kenzer-templates
https://nvd.nist.gov/vuln/detail/CVE-2020-12256

.. / CVE-2020-12256 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for rConfig 3.9.4 - Cross-Site Scripting (CVE-2020-12256)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2020-12256