8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-15886

GHSA ID

GHSA-qvw9-6567-wq78

EPSS Score

0.583%

CWE

CWE-89

Published

5/24/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15886

CVE-2020-15886: MunkiReport reportdata module SQL injection vulnerability

A SQL injection vulnerability in reportdata_controller.php in the reportdata module before 3.5 for MunkiReport allows attackers to execute arbitrary SQL commands via the req parameter of the /module/reportdata/ip endpoint.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-15886

CVE-2020-15886:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-15886

GHSA ID

GHSA-qvw9-6567-wq78

EPSS Score

0.583%

CWE

CWE-89

Published

5/24/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
munkireport/reportdata	composer	< 3.5	3.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the handling of the 'req' parameter in the IP endpoint controller. Evidence from the advisory shows:

The attack vector is specifically through the 'req' parameter
The patch in reportdata v3.5 removed the 'req' parameter entirely
The vulnerability type (SQLi) indicates direct concatenation of user input into SQL queries
Controller files in PHP MVC frameworks typically contain endpoint handling logic
The CWE-89 classification confirms improper SQL query construction

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-15886: MunkiReport reportdata module SQL injection vulnerability

CVE-2020-15886:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

8.8

8.8

Basic Information

Basic Information

CVE-2020-15886: MunkiReport reportdata module SQL injection vulnerability

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI