20200722 SQL Injection In Datatables Order By In Post Body

SQL Injection In Datatables Order By In Post Body - CVE-2020-15884

Description

The Datatable "order by" field is vulnerable to a SQL Injection attack by an authenticated user. An SQL Injection could allow a malicious actor to perform arbitrary queries on the database. This could lead to data exfiltration or in some case, code execution.

Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable

Mitigation

Update MunkiReport to the latest version (Preferred)

Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures

An Opensource project

Introduction

Setup

Server Configuration

Client Configuration

Upgrade

Modules

Securing MunkiReport

Customization

Misc

Developers

Provide feedback

Saved searches

Use saved searches to filter your results more quickly