20200722 SQL Injection in softwareupdate module

SQL Injection in softwareupdate module - CVE-2020-15887

Description

The get_tab_data endpoint is vulnerable to a SQL Injection attack by an authenticated user. A SQL Injection could allow a malicious actor to perform arbitrary queries on the database. This could lead to data exfiltration or in some case, code execution.

Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable

Mitigation

Update MunkiReport to the latest version (Preferred)

Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures

If updating to the latest version in not possible:

Update the softwareupdate module to v1.6
Or disable the softwareupdate module by removing it from the MODULES= setting in the server config.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

20200722 SQL Injection in softwareupdate module

SQL Injection in softwareupdate module - CVE-2020-15887

Description

Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable

Mitigation

Update MunkiReport to the latest version (Preferred)

If updating to the latest version in not possible:

Introduction

Setup

Server Configuration

Client Configuration

Upgrade

Modules

Securing MunkiReport

Customization

Misc

Developers

Clone this wiki locally