CVE-2020-10191

Name of the Vulnerable Software and Affected Versions MunkiReport versions prior to 5.3.0

Description An issue allows an authenticated actor to send a custom XSS payload through the "/module/comment/save" endpoint. The payload will be executed by any authenticated users browsing the application. This issue is related to the app/controllers/client.php:detail file.

Recommendations For versions prior to 5.3.0, update to version 5.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/module/comment/save" endpoint until a patch is available. Avoid using the vulnerable functionality in the app/controllers/client.php:detail file until the issue is resolved.