Miggo Logo

CVE-2020-15881: MunkiReport munki_facts module Cross-Site Scripting (XSS) vulnerability

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.66248%
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
munkireport/munki_factscomposer< 1.51.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper neutralization of the 'key name' parameter. The module's data handling functions would receive client-submitted key names and store them, while view templates would display these values. Since the advisory specifically calls out XSS via key name input, the vulnerability must exist in either/both the data ingestion path (insufficient input validation) and output path (lack of output encoding). The high confidence comes from: 1) The vulnerability pattern matches common XSS in MVC frameworks 2) The patch version 1.5 would logically require changes to both data handling and templating 3) The CWE-79 classification confirms this is output sanitization failure

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-Sit* S*riptin* (XSS) vuln*r**ility in t** munki_***ts (*k* Munki *on*itions) mo*ul* ***or* *.* *or MunkiR*port *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** k*y n*m*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r n*utr*liz*tion o* t** 'k*y n*m*' p*r*m*t*r. T** mo*ul*'s **t* **n*lin* *un*tions woul* r***iv* *li*nt-su*mitt** k*y n*m*s *n* stor* t**m, w*il* vi*w t*mpl*t*s woul* *ispl*y t**s* v*lu*s. Sin** t** **visory sp**i*