Vulnerability Details CVE-2020-15887
A SQL injection vulnerability in softwareupdate_controller.php in the Software Update module before 1.6 for MunkiReport allows attackers to execute arbitrary SQL commands via the last URL parameter of the /module/softwareupdate/get_tab_data/ endpoint.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 58.4%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
- https://github.com/munkireport/munkireport-php/releases
- https://github.com/munkireport/munkireport-php/releases/tag/v5.6.3
- https://github.com/munkireport/munkireport-php/wiki/20200722-SQL-Injection-in-softwareupdate-module
- https://github.com/munkireport/softwareupdate/releases
- https://github.com/munkireport/munkireport-php/releases
- https://github.com/munkireport/munkireport-php/releases/tag/v5.6.3
- https://github.com/munkireport/munkireport-php/wiki/20200722-SQL-Injection-in-softwareupdate-module
- https://github.com/munkireport/softwareupdate/releases
Products affected by CVE-2020-15887
-
cpe:2.3:a:softwareupdate_project:softwareupdate:1.1
-
cpe:2.3:a:softwareupdate_project:softwareupdate:1.2
-
cpe:2.3:a:softwareupdate_project:softwareupdate:1.2.1
-
cpe:2.3:a:softwareupdate_project:softwareupdate:1.2.2
-
cpe:2.3:a:softwareupdate_project:softwareupdate:1.3
-
cpe:2.3:a:softwareupdate_project:softwareupdate:1.4
-
cpe:2.3:a:softwareupdate_project:softwareupdate:1.5