CVE-2020-15886

Опубликовано: 23 июл. 2020

Источник: nvd

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

A SQL injection vulnerability in reportdata_controller.php in the reportdata module before 3.5 for MunkiReport allows attackers to execute arbitrary SQL commands via the req parameter of the /module/reportdata/ip endpoint.

Ссылки

https://github.com/munkireport/munkireport-php/releases
Release Notes
Third Party Advisory
https://github.com/munkireport/munkireport-php/releases/tag/v5.6.3
Release Notes
Third Party Advisory
https://github.com/munkireport/munkireport-php/wiki/20200722-SQL-Injection-In-Reportdata-Ip-In-%27req%27-GET-Parameter
https://github.com/munkireport/reportdata/releases
Release Notes
Third Party Advisory
https://github.com/munkireport/munkireport-php/releases
Release Notes
Third Party Advisory
https://github.com/munkireport/munkireport-php/releases/tag/v5.6.3
Release Notes
Third Party Advisory
https://github.com/munkireport/munkireport-php/wiki/20200722-SQL-Injection-In-Reportdata-Ip-In-%27req%27-GET-Parameter
https://github.com/munkireport/reportdata/releases
Release Notes
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:reportdata_project:reportdata:*:*:*:*:*:munkireport:*:*

Версия до 3.5 (исключая)

EPSS

Процентиль: 59%

0.00374

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-qvw9-6567-wq78