20200722 SQL Injection In Reportdata Ip In 'req' GET Parameter - munkireport/munkireport-php GitHub Wiki
SQL Injection In Reportdata Ip In 'req' GET Parameter - CVE-2020-15886
Description
The endpoint is vulnerable to an SQL Injection attack by an authenticated user via the endpoint. An SQL Injection could allow a malicious actor to perform arbitrary query to the database. This could lead to data exfiltration or in some case, code execution.
Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable
Mitigation
Update MunkiReport to the latest version (Preferred)
- Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
- General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures
If updating to the latest version in not possible:
- Update the
reportdatamodule to v3.5