20200722 XSS Filter Bypass On Comments

XSS Filter Bypass On Comments - CVE-2020-15885

Description

A malicious user of munkireport (admin, manager, etc.) could post a comment on a user's laptop, and wait for an administrator to view the comment, or find a way to entice them to do so. Once an administrator views the comment, arbitrary Javascript code would be executed in their browser, allowing the attacker to elevate their privileges or impersonate their victim to perform actions on the application.

Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable

Mitigation

Update MunkiReport to the latest version (Preferred)

Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures

If updating to the latest version in not possible:

Update the comment module to v4.0
Or disable the comment module by removing it from the MODULES= setting in the server config.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

20200722 XSS Filter Bypass On Comments

XSS Filter Bypass On Comments - CVE-2020-15885

Description

Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable

Mitigation

Update MunkiReport to the latest version (Preferred)

If updating to the latest version in not possible:

Introduction

Setup

Server Configuration

Client Configuration

Upgrade

Modules

Securing MunkiReport

Customization

Misc

Developers

Clone this wiki locally