CVE-2020-15884

Name of the Vulnerable Software and Affected Versions MunkiReport versions prior to 5.6.3

Description A SQL injection issue allows attackers to execute arbitrary SQL commands. This is achieved via the order[0][dir] field on POST requests to the "/datatables/data" API endpoint.

Recommendations For versions prior to 5.6.3, update to version 5.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/datatables/data" API endpoint to minimize the risk of exploitation. Avoid using the order[0][dir] field in POST requests to this endpoint until the issue is resolved.