module
rConfig Vendors Auth File Upload RCE
| Disclosed |
|---|
| Mar 17, 2021 |
Disclosed
Mar 17, 2021
Description
This module allows an attacker with a privileged rConfig account to start a reverse shell
due to an arbitrary file upload vulnerability in `/lib/crud/vendors.crud.php`.
Then, the uploaded payload can be triggered by a call to `images/vendor/.php`
due to an arbitrary file upload vulnerability in `/lib/crud/vendors.crud.php`.
Then, the uploaded payload can be triggered by a call to `images/vendor/.php`
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.