Skip to main content

Always-Incorrect Control Flow Implementation


Severity High
Score 7.5/10


An issue was discovered in includes/ in rConfig before 3.9.4. An unauthenticated attacker can retrieve saved cleartext credentials via a GET request to settings.php. Because the application was not exiting after a redirect is applied, the rest of the page still executed, resulting in the disclosure of cleartext credentials in the response.

  • LOW
  • NONE
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-670 - Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.


Advisory Timeline

  • Published