CVE-2020-10192 in MunkiReport
Summary
by MITRE
An issue was discovered in Munkireport before 5.3.0.3923. An unauthenticated actor can send a custom XSS payload through the /report/broken_client endpoint. The payload will be executed by any authenticated users browsing the application. This concerns app/views/listings/default.php.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/11/2025
The vulnerability CVE-2020-10192 represents a critical cross-site scripting flaw in Munkireport versions prior to 5.3.0.3923 that exposes the application to unauthorized code execution through a specific endpoint. This security weakness occurs within the /report/broken_client endpoint which accepts input from unauthenticated actors without proper validation or sanitization. The vulnerability is particularly dangerous because it allows attackers to inject malicious JavaScript payloads that will execute automatically when authenticated users navigate to the affected application interface. The flaw specifically impacts the app/views/listings/default.php view file where the unsanitized input is rendered, creating a persistent XSS vector that can be exploited across the entire user base.
The technical nature of this vulnerability aligns with CWE-79 which defines cross-site scripting as the improper handling of input data that allows attackers to inject client-side scripts into web applications. The attack vector operates through a classic server-side injection mechanism where user-supplied data flows directly into the application's output without adequate sanitization or encoding. The unauthenticated nature of the initial payload delivery makes this vulnerability particularly dangerous as it requires no prior access credentials to establish the malicious payload within the application's data flow. The vulnerability's impact is amplified by the fact that the malicious code executes in the context of authenticated users, potentially allowing attackers to access sensitive information, perform unauthorized actions, or escalate privileges within the application's scope.
From an operational perspective, this vulnerability creates significant risk for organizations relying on Munkireport for system management and monitoring. The attack scenario involves an external actor sending a malicious payload through the exposed endpoint which then gets stored and executed whenever any authenticated user views the affected listings page. This creates a persistent threat that can compromise user sessions, steal authentication tokens, or provide attackers with elevated privileges within the application. The vulnerability affects the application's integrity and confidentiality by allowing unauthorized code execution in the context of legitimate users, potentially leading to complete system compromise if the application has elevated privileges or access to sensitive data. The risk is further compounded by the fact that the attack can be executed without any prior authentication or authorization from the target system.
Mitigation strategies for CVE-2020-10192 should prioritize immediate patching to Munkireport version 5.3.0.3923 or later which contains the necessary fixes to address the XSS vulnerability. Organizations should implement network-level restrictions to limit access to the /report/broken_client endpoint to trusted sources only, while also applying proper input validation and output encoding mechanisms to prevent future injection attacks. The implementation of Content Security Policy headers can provide additional defense-in-depth measures to prevent execution of unauthorized scripts within the application context. Regular security scanning and monitoring of the application's endpoints should be conducted to identify similar vulnerabilities, with particular attention to any custom endpoints that process user input. Security teams should also consider implementing automated patch management processes to ensure timely updates and reduce the window of exposure for known vulnerabilities, as this particular flaw demonstrates the importance of maintaining current software versions to protect against established attack vectors.