20200722 SQL Injection In Datatables Order By In Post Body
Arjen van Bochoven edited this page Jul 22, 2020
·
1 revision
Pages 100
Introduction
Setup
Server Configuration
Client Configuration
Upgrade
- General Upgrade Procedures
- How to Upgrade Versions
- Troubleshooting Upgrades
- Migrating sqlite to MySQL
Modules
Securing MunkiReport
Customization
Misc
Developers
Clone this wiki locally
SQL Injection In Datatables Order By In Post Body - CVE-2020-15884
Description
The Datatable "order by" field is vulnerable to a SQL Injection attack by an authenticated user. An SQL Injection could allow a malicious actor to perform arbitrary queries on the database. This could lead to data exfiltration or in some case, code execution.
Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable
Mitigation
Update MunkiReport to the latest version (Preferred)
- Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
- General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures
An Opensource project