Arjen Van Bochoven

#11009of 53,633
25Total CVSS
Vulnerabilities · 4
Medium
3
High
1
PT-2020-14683
8.1
2020-07-23
Munkireport · Munkireport · CVE-2020-15882
**Name of the Vulnerable Software and Affected Versions** MunkiReport versions prior to 5.6.3 **Description** A CSRF issue in the "manager/delete machine/{id}" endpoint allows attackers to delete arbitrary machines from the MunkiReport database. **Recommendations** For versions prior to 5.6.3, update to version 5.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "manager/delete machine/{id}" endpoint to minimize the risk of exploitation.
PT-2020-14684
6.1
2020-07-23
Munki · Munkireport · CVE-2020-15883
**Name of the Vulnerable Software and Affected Versions** MunkiReport versions prior to 2.6 **Description** A Cross-Site Scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the last two URL parameters, which report installed packages names and versions. **Recommendations** For versions prior to 2.6, update to version 2.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the managedinstalls module until a patch is available. Avoid using the last two URL parameters in the affected module to minimize the risk of exploitation.
PT-2020-14686
5.4
2020-07-23
Munkireport · Munkireport · CVE-2020-15885
**Name of the Vulnerable Software and Affected Versions** MunkiReport versions prior to 4.0 **Description** A Cross-Site Scripting (XSS) issue exists in the comment module, allowing remote attackers to inject arbitrary web script or HTML by posting a new comment. **Recommendations** For versions prior to 4.0, update to version 4.0 or later to resolve the issue.
PT-2020-11964
5.4
2020-03-09
Munki · Munkireport · CVE-2020-10191
**Name of the Vulnerable Software and Affected Versions** MunkiReport versions prior to 5.3.0 **Description** An issue allows an authenticated actor to send a custom XSS payload through the "/module/comment/save" endpoint. The payload will be executed by any authenticated users browsing the application. This issue is related to the app/controllers/client.php:detail file. **Recommendations** For versions prior to 5.3.0, update to version 5.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/module/comment/save" endpoint until a patch is available. Avoid using the vulnerable functionality in the app/controllers/client.php:detail file until the issue is resolved.