CVE-2020-15887: MunkiReport Software Update module is vulnerable to SQL injection
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.583%
CWE
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| munkireport/softwareupdate | composer | < 1.6 | 1.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly identifies the '/module/softwareupdate/get_tab_data/' endpoint's 'last' parameter as the injection vector. The module's security patch (v1.6) and associated release notes confirm SQL injection fixes. While the exact code isn't visible, the pattern matches classic SQL injection vulnerabilities where user input is directly concatenated into SQL queries. The endpoint handler in softwareupdate_controller.php would logically be responsible for processing this parameter and executing database operations.