CVE-2019-6961

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-6961

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-6961.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-6961

Published

2019-06-20T14:15:11.047Z

Modified

2025-11-14T09:56:08.415037Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Incorrect access control in actionHandlerUtility.php in the RDK RDKB-20181217-1 WebUI module allows a logged in user to control DDNS, QoS, RIP, and other privileged configurations (intended only for the network operator) by sending an HTTP POST to the PHP backend, because the page filtering for non-superuser (in header.php) is done only for GET requests and not for direct AJAX calls.

References

https://dojo.bullguard.com/dojo-by-bullguard/blog/the-gateway-is-wide-open

Affected packages

Git / github.com/rdkcmf/rdkb-ccsppandm

Affected ranges

Type: GIT
Repo: https://github.com/rdkcmf/rdkb-ccsppandm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

8a7ae1ac0b29785bae165760e340c245f9d2d5e3

Affected versions

Other

IMPORT_INITIAL

RDKB-20181114

RDKB-20181114-1

RDKB-20181115

RDKB-20181217

RDKB-20181217-1