Miggo Logo
Miggo Vulnerability Database
CVE-2020-15886

CVE-2020-15886:
MunkiReport reportdata module SQL injection vulnerability

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-15886
GHSA ID
GHSA-qvw9-6567-wq78
EPSS Score
0.583%
CWE
CWE-89
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
munkireport/reportdatacomposer< 3.53.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the handling of the 'req' parameter in the IP endpoint controller. Evidence from the advisory shows:

  1. The attack vector is specifically through the 'req' parameter
  2. The patch in reportdata v3.5 removed the 'req' parameter entirely
  3. The vulnerability type (SQLi) indicates direct concatenation of user input into SQL queries
  4. Controller files in PHP MVC frameworks typically contain endpoint handling logic
  5. The CWE-89 classification confirms improper SQL query construction

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* SQL inj**tion vuln*r**ility in r*port**t*_*ontroll*r.p*p in t** r*port**t* mo*ul* ***or* *.* *or MunkiR*port *llows *tt**k*rs to *x**ut* *r*itr*ry SQL *omm*n*s vi* t** r*q p*r*m*t*r o* t** /mo*ul*/r*port**t*/ip *n*point.

Reasoning

T** vuln*r**ility st*ms *rom t** **n*lin* o* t** 'r*q' p*r*m*t*r in t** IP *n*point *ontroll*r. *vi**n** *rom t** **visory s*ows: *. T** *tt**k v**tor is sp**i*i**lly t*rou** t** 'r*q' p*r*m*t*r *. T** p*t** in r*port**t* v*.* r*mov** t** 'r*q' p*r*m