CVE-2020-10220: 
rConfig vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in rConfig through version 3.9.4 (CVE-2020-10220). The vulnerability exists in the web interface, specifically in the commands.inc.php file through the searchColumn parameter. This vulnerability was disclosed in March 2020 (NVD).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue allows attackers to inject malicious SQL commands through the searchColumn parameter in the commands.inc.php file, which is not properly sanitized before being used in database queries (NVD).

The vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized access to sensitive information, including user credentials and device configurations stored in the database (Github Exploit).

Users should upgrade to a version newer than rConfig 3.9.4. If upgrading is not immediately possible, implementing web application firewall rules to filter malicious SQL injection attempts can help mitigate the risk (NVD).