20200309 Authenticated Comment XSS - munkireport/munkireport-php GitHub Wiki

Authenticated Comment XSS - CVE-2020-10191

Description

A logged in admin can craft a special request using his admin session credentials to inject javascript into a comment field. The javascript can be used to extract data from another admin that is logged in.

Vulnerability: Versions of MunkiReport from 2.5.3 to 5.2.x are vulnerable

Mitigation

Update MunkiReport to the latest version (Preferred)

Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures

If updating to the latest version in not possible:

Update the comment module to v2.2 - only possible when running MunkiReport 4.3.0RC2 or higher.
Or disable the comment module by removing it from the MODULES= setting in the server config.