munkireport/munkireport-php

GitHub

github.com

Releases112

Frequency1 month 1 week

Last Release almost 3 years ago

Stars408

A reporting tool for munki

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2020-15881 ↗	Jul 23, 2020Thursday, 23 July 2020, 14:15	6.1 MEDIUM	4.3 MEDIUM
A Cross-Site Scripting (XSS) vulnerability in the munki_facts (aka Munki Conditions) module before 1.5 for MunkiReport allows remote attackers to inject arbitrary web script or HTML via the key name.
CVE-2020-15882 ↗	Jul 23, 2020Thursday, 23 July 2020, 14:15	8.1 HIGH	5.8 MEDIUM
A CSRF issue in manager/delete_machine/{id} in MunkiReport before 5.6.3 allows attackers to delete arbitrary machines from the MunkiReport database.
CVE-2020-15883 ↗	Jul 23, 2020Thursday, 23 July 2020, 14:15	6.1 MEDIUM	4.3 MEDIUM
A Cross-Site Scripting (XSS) vulnerability in the managedinstalls module before 2.6 for MunkiReport allows remote attackers to inject arbitrary web script or HTML via the last two URL parameters (through which installed packages names and versions are reported).
CVE-2020-15884 ↗	Jul 23, 2020Thursday, 23 July 2020, 14:15	8.8 HIGH	6.5 MEDIUM
A SQL injection vulnerability in TableQuery.php in MunkiReport before 5.6.3 allows attackers to execute arbitrary SQL commands via the order[0][dir] field on POST requests to /datatables/data.
CVE-2020-15885 ↗	Jul 23, 2020Thursday, 23 July 2020, 14:15	5.4 MEDIUM	3.5 LOW
A Cross-Site Scripting (XSS) vulnerability in the comment module before 4.0 for MunkiReport allows remote attackers to inject arbitrary web script or HTML by posting a new comment.
CVE-2020-15886 ↗	Jul 23, 2020Thursday, 23 July 2020, 14:15	8.8 HIGH	6.5 MEDIUM
A SQL injection vulnerability in reportdata_controller.php in the reportdata module before 3.5 for MunkiReport allows attackers to execute arbitrary SQL commands via the req parameter of the /module/reportdata/ip endpoint.
CVE-2020-15887 ↗	Jul 23, 2020Thursday, 23 July 2020, 14:15	8.8 HIGH	6.5 MEDIUM
A SQL injection vulnerability in softwareupdate_controller.php in the Software Update module before 1.6 for MunkiReport allows attackers to execute arbitrary SQL commands via the last URL parameter of the /module/softwareupdate/get_tab_data/ endpoint.
CVE-2020-10191 ↗	Mar 9, 2020Monday, 9 March 2020, 19:15	5.4 MEDIUM	3.5 LOW
An issue was discovered in MunkiReport before 5.3.0. An authenticated actor can send a custom XSS payload through the /module/comment/save endpoint. The payload will be executed by any authenticated users browsing the application. This concerns app/controllers/client.php:detail.
CVE-2020-10192 ↗	Mar 9, 2020Monday, 9 March 2020, 19:15	6.1 MEDIUM	4.3 MEDIUM
An issue was discovered in Munkireport before 5.3.0.3923. An unauthenticated actor can send a custom XSS payload through the /report/broken_client endpoint. The payload will be executed by any authenticated users browsing the application. This concerns app/views/listings/default.php.
CVE-2020-10190 ↗	Mar 9, 2020Monday, 9 March 2020, 19:15	8.8 HIGH	6.5 MEDIUM
An issue was discovered in MunkiReport before 5.3.0. An authenticated user could achieve SQL Injection in app/models/tablequery.php by crafting a special payload on the /datatables/data endpoint.