20200722 SQL Injection In Reportdata Ip In 'req' GET Parameter

SQL Injection In Reportdata Ip In 'req' GET Parameter - CVE-2020-15886

Description

The endpoint is vulnerable to an SQL Injection attack by an authenticated user via the endpoint. An SQL Injection could allow a malicious actor to perform arbitrary query to the database. This could lead to data exfiltration or in some case, code execution.

Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable

Mitigation

Update MunkiReport to the latest version (Preferred)

Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures

If updating to the latest version in not possible:

Update the reportdata module to v3.5

An Opensource project

Introduction

Setup

Server Configuration

Client Configuration

Upgrade

Modules

Securing MunkiReport

Customization

Misc

Developers

Provide feedback

Saved searches

Use saved searches to filter your results more quickly