20200722 Reflected XSS In Managedinstalls Module - munkireport/munkireport-php GitHub Wiki

Reflected XSS In Managedinstalls Module - CVE-2020-15883

Description

Reflected cross-site scripting (XSS) is a client side vulnerability allowing arbitrary javascript execution based on request parameters reflected in the body of the response. The application fails to escape dangerous characters from the URL while building the page. This could allow client code execution and arbitrary operations in the context of the user when they click a malicious link from the trusted application.

Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable

Mitigation

Update MunkiReport to the latest version (Preferred)

Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures

If updating to the latest version in not possible:

Update the managedinstalls module to v2.6
Or disable the managedinstalls module by removing it from the MODULES= setting in the server config.