20200722 Reflected XSS In Managedinstalls Module
Arjen van Bochoven edited this page Jul 22, 2020
·
1 revision
Pages 100
Introduction
Setup
Server Configuration
Client Configuration
Upgrade
- General Upgrade Procedures
- How to Upgrade Versions
- Troubleshooting Upgrades
- Migrating sqlite to MySQL
Modules
Securing MunkiReport
Customization
Misc
Developers
Clone this wiki locally
Reflected XSS In Managedinstalls Module - CVE-2020-15883
Description
Reflected cross-site scripting (XSS) is a client side vulnerability allowing arbitrary javascript execution based on request parameters reflected in the body of the response. The application fails to escape dangerous characters from the URL while building the page. This could allow client code execution and arbitrary operations in the context of the user when they click a malicious link from the trusted application.
Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable
Mitigation
Update MunkiReport to the latest version (Preferred)
- Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
- General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures
If updating to the latest version in not possible:
- Update the
managedinstallsmodule to v2.6 - Or disable the
managedinstallsmodule by removing it from theMODULES=setting in the server config.
An Opensource project