CVE-2020-15881: MunkiReport munki_facts module Cross-Site Scripting (XSS) vulnerability
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.66248%
CWE
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
munkireport/munki_facts | composer | < 1.5 | 1.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper neutralization of the 'key name' parameter. The module's data handling functions would receive client-submitted key names and store them, while view templates would display these values. Since the advisory specifically calls out XSS via key name input, the vulnerability must exist in either/both the data ingestion path (insufficient input validation) and output path (lack of output encoding). The high confidence comes from: 1) The vulnerability pattern matches common XSS in MVC frameworks 2) The patch version 1.5
would logically require changes to both data handling and templating 3) The CWE-79
classification confirms this is output sanitization failure