20200722 munki_facts XSS
Arjen van Bochoven edited this page Jul 22, 2020
·
2 revisions
Pages 100
Introduction
Setup
Server Configuration
Client Configuration
Upgrade
- General Upgrade Procedures
- How to Upgrade Versions
- Troubleshooting Upgrades
- Migrating sqlite to MySQL
Modules
Securing MunkiReport
Customization
Misc
Developers
Clone this wiki locally
munki_facts XSS - CVE-2020-15881
Description
Stored cross-site scripting (XSS) is a client side vulnerability allowing arbitrary javascript execution based on arbitrary data sent directly to the client and executed by the browser. A malicious actor can send data to the application via the munki_facts module and once the administrator visits the munki_facts page will execute actions unbeknownst to the user.
Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable
Mitigation
Update MunkiReport to the latest version (Preferred)
- Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
- General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures
If updating to the latest version in not possible:
- Update the
munki_factsmodule to v1.5 - Or disable the
munki_factsmodule by removing it from theMODULES=setting in the server config.
An Opensource project