CVE-2020-10192

Name of the Vulnerable Software and Affected Versions Munkireport versions prior to 5.3.0.3923

Description An issue was discovered that allows an unauthenticated actor to send a custom XSS payload through the "/report/broken client" endpoint. The payload will be executed by any authenticated users browsing the application. This issue concerns the app/views/listings/default.php file.

Recommendations For versions prior to 5.3.0.3923, update to version 5.3.0.3923 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/report/broken client" endpoint to minimize the risk of exploitation.