.. / CVE-2023-39108

Exploit for rConfig 3.9.4 - Server-Side Request Forgery (CVE-2023-39108)

Description:

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.

Nuclei Template

View the template here CVE-2023-39108.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-39108.yaml
Copy

References:

https://github.com/zer0yu/CVE_Request/blob/master/rConfig/rConfig_path_b.md
https://github.com/zer0yu/CVE_Request
https://www.rconfig.com/downloads/rconfig-3.9.4.zip
https://nvd.nist.gov/vuln/detail/CVE-2023-39108