20200722 munki_facts XSS - munkireport/munkireport-php GitHub Wiki

munki_facts XSS - CVE-2020-15881

Description

Stored cross-site scripting (XSS) is a client side vulnerability allowing arbitrary javascript execution based on arbitrary data sent directly to the client and executed by the browser. A malicious actor can send data to the application via the munki_facts module and once the administrator visits the munki_facts page will execute actions unbeknownst to the user.

Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable

Mitigation

Update MunkiReport to the latest version (Preferred)

Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures

If updating to the latest version in not possible:

Update the munki_facts module to v1.5
Or disable the munki_facts module by removing it from the MODULES= setting in the server config.