20200309 Authenticated Comment XSS

Authenticated Comment XSS - CVE-2020-10191

Description

A logged in admin can craft a special request using his admin session credentials to inject javascript into a comment field. The javascript can be used to extract data from another admin that is logged in.

Vulnerability: Versions of MunkiReport from 2.5.3 to 5.2.x are vulnerable

Mitigation

Update MunkiReport to the latest version (Preferred)

Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures

If updating to the latest version in not possible:

Update the comment module to v2.2 - only possible when running MunkiReport 4.3.0RC2 or higher.
Or disable the comment module by removing it from the MODULES= setting in the server config.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

20200309 Authenticated Comment XSS

Authenticated Comment XSS - CVE-2020-10191

Description

Vulnerability: Versions of MunkiReport from 2.5.3 to 5.2.x are vulnerable

Mitigation

Update MunkiReport to the latest version (Preferred)

If updating to the latest version in not possible:

Introduction

Setup

Server Configuration

Client Configuration

Upgrade

Modules

Securing MunkiReport

Customization

Misc

Developers

Clone this wiki locally