Vulnerabilites related to phpipam - phpipam
CVE-2024-10723 (GCVE-0-2024-10723)
Vulnerability from cvelistv5
Published
2025-03-20 10:09
Modified
2025-03-20 18:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the destination address field of the NAT tool, which can be executed when a user interacts with the field. The impact of this vulnerability includes the potential theft of user cookies, unauthorized access to user accounts, and redirection to malicious websites. The issue has been fixed in version 1.7.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.7.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10723",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T17:51:05.672642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:55:33.336Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the destination address field of the NAT tool, which can be executed when a user interacts with the field. The impact of this vulnerability includes the potential theft of user cookies, unauthorized access to user accounts, and redirection to malicious websites. The issue has been fixed in version 1.7.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:09:23.803Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/9af99057-e4f6-4d07-b3bb-3213b977801d"
},
{
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
}
],
"source": {
"advisory": "9af99057-e4f6-4d07-b3bb-3213b977801d",
"discovery": "EXTERNAL"
},
"title": "Stored XSS in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-10723",
"datePublished": "2025-03-20T10:09:23.803Z",
"dateReserved": "2024-11-01T23:23:05.376Z",
"dateUpdated": "2025-03-20T18:55:33.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10727 (GCVE-0-2024-10727)
Vulnerability from cvelistv5
Published
2025-03-20 10:10
Modified
2025-03-20 15:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A reflected cross-site scripting (XSS) vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. The vulnerability arises when the application receives data in an HTTP request and includes that data within the immediate response in an unsafe manner. This allows an attacker to execute arbitrary JavaScript in the context of the user's browser, potentially leading to full compromise of the user.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.7.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10727",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T15:53:13.184868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T15:53:17.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/259eed22-4d6f-4229-92e5-04674f302d5d"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. The vulnerability arises when the application receives data in an HTTP request and includes that data within the immediate response in an unsafe manner. This allows an attacker to execute arbitrary JavaScript in the context of the user\u0027s browser, potentially leading to full compromise of the user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:10:58.253Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/259eed22-4d6f-4229-92e5-04674f302d5d"
},
{
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
}
],
"source": {
"advisory": "259eed22-4d6f-4229-92e5-04674f302d5d",
"discovery": "EXTERNAL"
},
"title": "Cross-Site Scripting (XSS) in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-10727",
"datePublished": "2025-03-20T10:10:58.253Z",
"dateReserved": "2024-11-01T23:43:20.860Z",
"dateUpdated": "2025-03-20T15:53:17.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1211 (GCVE-0-2023-1211)
Vulnerability from cvelistv5
Published
2023-03-06 00:00
Modified
2025-03-06 19:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
Summary
SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < v1.5.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:40:59.715Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/ed569124-2aeb-4b0d-a312-435460892afd"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/16e7a94fb69412e569ccf6f2fe0a1f847309c922"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1211",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T19:26:50.402704Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T19:27:01.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "v1.5.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-06T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/ed569124-2aeb-4b0d-a312-435460892afd"
},
{
"url": "https://github.com/phpipam/phpipam/commit/16e7a94fb69412e569ccf6f2fe0a1f847309c922"
}
],
"source": {
"advisory": "ed569124-2aeb-4b0d-a312-435460892afd",
"discovery": "EXTERNAL"
},
"title": " SQL Injection in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-1211",
"datePublished": "2023-03-06T00:00:00.000Z",
"dateReserved": "2023-03-06T00:00:00.000Z",
"dateUpdated": "2025-03-06T19:27:01.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41443 (GCVE-0-2022-41443)
Vulnerability from cvelistv5
Published
2022-10-03 15:31
Modified
2024-08-03 12:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gist.github.com/enferas/7acd9636cc221bbf61d51425ab91ef01 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:42:46.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/enferas/7acd9636cc221bbf61d51425ab91ef01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-03T15:31:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/enferas/7acd9636cc221bbf61d51425ab91ef01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-41443",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gist.github.com/enferas/7acd9636cc221bbf61d51425ab91ef01",
"refsource": "MISC",
"url": "https://gist.github.com/enferas/7acd9636cc221bbf61d51425ab91ef01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-41443",
"datePublished": "2022-10-03T15:31:47",
"dateReserved": "2022-09-26T00:00:00",
"dateUpdated": "2024-08-03T12:42:46.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15640 (GCVE-0-2017-15640)
Vulnerability from cvelistv5
Published
2018-04-21 21:00
Modified
2024-08-05 19:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/releases/tag/1.3.1 | x_refsource_CONFIRM | |
| https://github.com/phpipam/phpipam/issues/1521 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:57:27.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/1.3.1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/1521"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-04-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-21T21:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/1.3.1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/phpipam/phpipam/issues/1521"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15640",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/releases/tag/1.3.1",
"refsource": "CONFIRM",
"url": "https://github.com/phpipam/phpipam/releases/tag/1.3.1"
},
{
"name": "https://github.com/phpipam/phpipam/issues/1521",
"refsource": "CONFIRM",
"url": "https://github.com/phpipam/phpipam/issues/1521"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15640",
"datePublished": "2018-04-21T21:00:00",
"dateReserved": "2017-10-19T00:00:00",
"dateUpdated": "2024-08-05T19:57:27.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1224 (GCVE-0-2022-1224)
Vulnerability from cvelistv5
Published
2022-04-04 10:45
Modified
2024-08-02 23:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/cd9e1508-5682-427e-a921-14b4f520b85a | x_refsource_CONFIRM | |
| https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.4.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:24.593Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/cd9e1508-5682-427e-a921-14b4f520b85a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T10:45:15",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/cd9e1508-5682-427e-a921-14b4f520b85a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
}
],
"source": {
"advisory": "cd9e1508-5682-427e-a921-14b4f520b85a",
"discovery": "EXTERNAL"
},
"title": "Improper Authorization in phpipam/phpipam",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1224",
"STATE": "PUBLIC",
"TITLE": "Improper Authorization in phpipam/phpipam"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "phpipam/phpipam",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.6"
}
]
}
}
]
},
"vendor_name": "phpipam"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/cd9e1508-5682-427e-a921-14b4f520b85a",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/cd9e1508-5682-427e-a921-14b4f520b85a"
},
{
"name": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
}
]
},
"source": {
"advisory": "cd9e1508-5682-427e-a921-14b4f520b85a",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1224",
"datePublished": "2022-04-04T10:45:15",
"dateReserved": "2022-04-04T00:00:00",
"dateUpdated": "2024-08-02T23:55:24.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10724 (GCVE-0-2024-10724)
Vulnerability from cvelistv5
Published
2025-03-20 10:09
Modified
2025-03-20 18:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2, specifically in the Subnet NAT translations section when editing the Destination address. This vulnerability allows an attacker to execute malicious code. The issue is fixed in version 1.7.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.7.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10724",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T17:50:47.227519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:38:13.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2, specifically in the Subnet NAT translations section when editing the Destination address. This vulnerability allows an attacker to execute malicious code. The issue is fixed in version 1.7.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:09:30.561Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/0746e357-fcc7-44db-b8e7-857875c54999"
},
{
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
}
],
"source": {
"advisory": "0746e357-fcc7-44db-b8e7-857875c54999",
"discovery": "EXTERNAL"
},
"title": "Stored XSS in IPV6 Section in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-10724",
"datePublished": "2025-03-20T10:09:30.561Z",
"dateReserved": "2024-11-01T23:24:14.738Z",
"dateUpdated": "2025-03-20T18:38:13.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41358 (GCVE-0-2024-41358)
Vulnerability from cvelistv5
Published
2024-08-29 00:00
Modified
2025-04-16 13:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\import-export\import-load-data.php.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T13:41:35.836844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T19:17:58.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\\admin\\import-export\\import-load-data.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T13:57:40.598Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/phpipam/phpipam/issues/4148"
},
{
"url": "https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2024-41358.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-41358",
"datePublished": "2024-08-29T00:00:00.000Z",
"dateReserved": "2024-07-18T00:00:00.000Z",
"dateUpdated": "2025-04-16T13:57:40.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7988 (GCVE-0-2020-7988)
Vulnerability from cvelistv5
Published
2020-03-04 16:07
Modified
2024-08-04 09:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change the password of any user/admin, to escalate privileges, and to gain access to more data and functionality. This issue exists due to the lack of a requirement to provide the old password, and the lack of security tokens.
References
| ▼ | URL | Tags |
|---|---|---|
| https://phpipam.net/news/phpipam-v1-5-released/ | x_refsource_MISC | |
| https://pastebin.com/ZPECbgZb | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:24.607Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://phpipam.net/news/phpipam-v1-5-released/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pastebin.com/ZPECbgZb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change the password of any user/admin, to escalate privileges, and to gain access to more data and functionality. This issue exists due to the lack of a requirement to provide the old password, and the lack of security tokens."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-04T16:07:52",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://phpipam.net/news/phpipam-v1-5-released/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pastebin.com/ZPECbgZb"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-7988",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change the password of any user/admin, to escalate privileges, and to gain access to more data and functionality. This issue exists due to the lack of a requirement to provide the old password, and the lack of security tokens."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://phpipam.net/news/phpipam-v1-5-released/",
"refsource": "MISC",
"url": "https://phpipam.net/news/phpipam-v1-5-released/"
},
{
"name": "https://pastebin.com/ZPECbgZb",
"refsource": "MISC",
"url": "https://pastebin.com/ZPECbgZb"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-7988",
"datePublished": "2020-03-04T16:07:52",
"dateReserved": "2020-01-26T00:00:00",
"dateUpdated": "2024-08-04T09:48:24.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10722 (GCVE-0-2024-10722)
Vulnerability from cvelistv5
Published
2025-03-20 10:10
Modified
2025-03-20 18:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability allows attackers to inject malicious scripts into the 'Description' field of custom fields in the 'IP RELATED MANAGEMENT' section. This can lead to data theft, account compromise, distribution of malware, website defacement, content manipulation, and phishing attacks. The issue is fixed in version 1.7.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.7.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10722",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T17:48:32.150855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:20:56.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability allows attackers to inject malicious scripts into the \u0027Description\u0027 field of custom fields in the \u0027IP RELATED MANAGEMENT\u0027 section. This can lead to data theft, account compromise, distribution of malware, website defacement, content manipulation, and phishing attacks. The issue is fixed in version 1.7.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:10:29.411Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/f0bc97b2-33a9-4b15-aa05-ff7c57624847"
},
{
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
}
],
"source": {
"advisory": "f0bc97b2-33a9-4b15-aa05-ff7c57624847",
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-10722",
"datePublished": "2025-03-20T10:10:29.411Z",
"dateReserved": "2024-11-01T23:20:38.488Z",
"dateUpdated": "2025-03-20T18:20:56.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4965 (GCVE-0-2023-4965)
Vulnerability from cvelistv5
Published
2023-09-14 20:00
Modified
2024-08-02 07:44
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
2.7 (Low) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
2.7 (Low) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - Open Redirect
Summary
A vulnerability was found in phpipam 1.5.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Header Handler. The manipulation of the argument X-Forwarded-Host leads to open redirect. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239732.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.239732 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.239732 | signature, permissions-required | |
| https://github.com/ctflearner/Vulnerability/blob/main/PHPIPAM/Open_Redirect.md | exploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4965",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-08T18:38:37.615056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T18:38:50.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:53.442Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.239732"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.239732"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/ctflearner/Vulnerability/blob/main/PHPIPAM/Open_Redirect.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"Header Handler"
],
"product": "phpipam",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.5.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "Affan (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in phpipam 1.5.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Header Handler. The manipulation of the argument X-Forwarded-Host leads to open redirect. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239732."
},
{
"lang": "de",
"value": "Eine problematische Schwachstelle wurde in phpipam 1.5.1 ausgemacht. Dies betrifft einen unbekannten Teil der Komponente Header Handler. Durch das Beeinflussen des Arguments X-Forwarded-Host mit unbekannten Daten kann eine open redirect-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 Open Redirect",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T16:17:01.640Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.239732"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.239732"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/ctflearner/Vulnerability/blob/main/PHPIPAM/Open_Redirect.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-09-14T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-09-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-10-11T19:28:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "phpipam Header redirect"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-4965",
"datePublished": "2023-09-14T20:00:07.601Z",
"dateReserved": "2023-09-14T15:36:32.006Z",
"dateUpdated": "2024-08-02T07:44:53.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41580 (GCVE-0-2023-41580)
Vulnerability from cvelistv5
Published
2023-10-02 00:00
Modified
2024-09-23 16:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a crafted POST request.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:35.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ehtec/phpipam-exploit"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/c451085476074943eb4056941005c0b61db566c5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41580",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T16:27:26.209058Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-23T16:28:18.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a crafted POST request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-02T12:44:18.461673",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/ehtec/phpipam-exploit"
},
{
"url": "https://github.com/phpipam/phpipam/commit/c451085476074943eb4056941005c0b61db566c5"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-41580",
"datePublished": "2023-10-02T00:00:00",
"dateReserved": "2023-08-30T00:00:00",
"dateUpdated": "2024-09-23T16:28:18.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16695 (GCVE-0-2019-16695)
Vulnerability from cvelistv5
Published
2019-09-22 14:58
Modified
2024-08-05 01:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/issues/2738 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:41.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-22T14:58:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16695",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/2738",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16695",
"datePublished": "2019-09-22T14:58:23",
"dateReserved": "2019-09-22T00:00:00",
"dateUpdated": "2024-08-05T01:17:41.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0678 (GCVE-0-2023-0678)
Vulnerability from cvelistv5
Published
2023-02-04 00:00
Modified
2025-03-26 14:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization in GitHub repository phpipam/phpipam prior to v1.5.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < v1.5.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:50.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/8d299377-be00-46dc-bebe-3d439127982f"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/1960bd24e8a55796da066237cf11272c44bb1cc4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0678",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T14:43:49.348203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T14:44:18.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "v1.5.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization in GitHub repository phpipam/phpipam prior to v1.5.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-02T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/8d299377-be00-46dc-bebe-3d439127982f"
},
{
"url": "https://github.com/phpipam/phpipam/commit/1960bd24e8a55796da066237cf11272c44bb1cc4"
}
],
"source": {
"advisory": "8d299377-be00-46dc-bebe-3d439127982f",
"discovery": "EXTERNAL"
},
"title": "Missing Authorization in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0678",
"datePublished": "2023-02-04T00:00:00.000Z",
"dateReserved": "2023-02-04T00:00:00.000Z",
"dateUpdated": "2025-03-26T14:44:18.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0676 (GCVE-0-2023-0676)
Vulnerability from cvelistv5
Published
2023-02-04 00:00
Modified
2025-03-26 14:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.5.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:50.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/b72d4f0c-8a96-4b40-a031-7d469c6ab93b"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/94ec73ff1d33926b75b811ded6f0b4a46088a7ec"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0676",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T14:46:55.903011Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T14:47:18.504Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.5.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-04T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/b72d4f0c-8a96-4b40-a031-7d469c6ab93b"
},
{
"url": "https://github.com/phpipam/phpipam/commit/94ec73ff1d33926b75b811ded6f0b4a46088a7ec"
}
],
"source": {
"advisory": "b72d4f0c-8a96-4b40-a031-7d469c6ab93b",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0676",
"datePublished": "2023-02-04T00:00:00.000Z",
"dateReserved": "2023-02-04T00:00:00.000Z",
"dateUpdated": "2025-03-26T14:47:18.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-6481 (GCVE-0-2017-6481)
Vulnerability from cvelistv5
Published
2017-03-05 20:00
Modified
2024-08-05 15:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple Cross-Site Scripting (XSS) issues were discovered in phpipam 1.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (instructions in app/admin/instructions/preview.php; subnetId in app/admin/powerDNS/refresh-ptr-records.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/issues/992 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/96573 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:33:20.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/992"
},
{
"name": "96573",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96573"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Scripting (XSS) issues were discovered in phpipam 1.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (instructions in app/admin/instructions/preview.php; subnetId in app/admin/powerDNS/refresh-ptr-records.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-07T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/phpipam/phpipam/issues/992"
},
{
"name": "96573",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96573"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-6481",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Cross-Site Scripting (XSS) issues were discovered in phpipam 1.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (instructions in app/admin/instructions/preview.php; subnetId in app/admin/powerDNS/refresh-ptr-records.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/992",
"refsource": "CONFIRM",
"url": "https://github.com/phpipam/phpipam/issues/992"
},
{
"name": "96573",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96573"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-6481",
"datePublished": "2017-03-05T20:00:00",
"dateReserved": "2017-03-05T00:00:00",
"dateUpdated": "2024-08-05T15:33:20.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23045 (GCVE-0-2022-23045)
Vulnerability from cvelistv5
Published
2022-01-19 20:38
Modified
2024-08-03 03:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Stored cross-site scripting (XSS)
Summary
PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/releases/tag/v1.4.5 | x_refsource_MISC | |
| https://fluidattacks.com/advisories/osbourne/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:43.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/osbourne/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PhpIPAM",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.4.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the \"Site title\" parameter while updating the site settings. The \"Site title\" setting is injected in several locations which triggers the XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored cross-site scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-19T20:38:57",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fluidattacks.com/advisories/osbourne/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "help@fluidattacks.com",
"ID": "CVE-2022-23045",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PhpIPAM",
"version": {
"version_data": [
{
"version_value": "1.4.4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the \"Site title\" parameter while updating the site settings. The \"Site title\" setting is injected in several locations which triggers the XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stored cross-site scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5"
},
{
"name": "https://fluidattacks.com/advisories/osbourne/",
"refsource": "MISC",
"url": "https://fluidattacks.com/advisories/osbourne/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-23045",
"datePublished": "2022-01-19T20:38:57",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-08-03T03:28:43.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3845 (GCVE-0-2022-3845)
Vulnerability from cvelistv5
Published
2022-11-02 00:00
Modified
2025-04-15 13:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-707 - Improper Neutralization -> CWE-74 Injection -> CWE-79 Cross Site Scripting
Summary
A vulnerability has been found in phpipam and classified as problematic. Affected by this vulnerability is an unknown functionality of the file app/admin/import-export/import-load-data.php of the component Import Preview Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.5.0 is able to address this issue. The name of the patch is 22c797c3583001211fe7d31bccd3f1d4aeeb3bbc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-212863.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| unspecified | phpipam |
Version: n/a |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/22c797c3583001211fe7d31bccd3f1d4aeeb3bbc"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.5.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://vuldb.com/?id.212863"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:06:25.199706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T13:17:33.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in phpipam and classified as problematic. Affected by this vulnerability is an unknown functionality of the file app/admin/import-export/import-load-data.php of the component Import Preview Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.5.0 is able to address this issue. The name of the patch is 22c797c3583001211fe7d31bccd3f1d4aeeb3bbc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-212863."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-707",
"description": "CWE-707 Improper Neutralization -\u003e CWE-74 Injection -\u003e CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-02T00:00:00.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"url": "https://github.com/phpipam/phpipam/commit/22c797c3583001211fe7d31bccd3f1d4aeeb3bbc"
},
{
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.5.0"
},
{
"url": "https://vuldb.com/?id.212863"
}
],
"title": "phpipam Import Preview import-load-data.php cross site scripting",
"x_generator": "vuldb.com"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2022-3845",
"datePublished": "2022-11-02T00:00:00.000Z",
"dateReserved": "2022-11-02T00:00:00.000Z",
"dateUpdated": "2025-04-15T13:17:33.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-46426 (GCVE-0-2021-46426)
Vulnerability from cvelistv5
Published
2022-03-25 15:54
Modified
2024-08-04 05:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.tempest.com.br | x_refsource_MISC | |
| https://github.com/phpipam | x_refsource_MISC | |
| https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351 | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2022/May/43 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/167227/PHPIPAM-1.4.4-Cross-Site-Request-Forgery-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:02:11.522Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tempest.com.br"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351"
},
{
"name": "20220518 PHPIPAM 1.4.4 - CVE-2021-46426",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/May/43"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167227/PHPIPAM-1.4.4-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-19T17:06:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tempest.com.br"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351"
},
{
"name": "20220518 PHPIPAM 1.4.4 - CVE-2021-46426",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2022/May/43"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167227/PHPIPAM-1.4.4-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-46426",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.tempest.com.br",
"refsource": "MISC",
"url": "https://www.tempest.com.br"
},
{
"name": "https://github.com/phpipam",
"refsource": "MISC",
"url": "https://github.com/phpipam"
},
{
"name": "https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351"
},
{
"name": "20220518 PHPIPAM 1.4.4 - CVE-2021-46426",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2022/May/43"
},
{
"name": "http://packetstormsecurity.com/files/167227/PHPIPAM-1.4.4-Cross-Site-Request-Forgery-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167227/PHPIPAM-1.4.4-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-46426",
"datePublished": "2022-03-25T15:54:12",
"dateReserved": "2022-01-24T00:00:00",
"dateUpdated": "2024-08-04T05:02:11.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0677 (GCVE-0-2023-0677)
Vulnerability from cvelistv5
Published
2023-02-04 00:00
Modified
2025-03-26 14:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to v1.5.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < v1.5.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:50.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/d280ae81-a1c9-4a50-9aa4-f98f1f9fd2c0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/8fbf87e19a6098972abc7521554db5757c3edd89"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0677",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T14:45:26.216286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T14:45:44.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "v1.5.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to v1.5.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-04T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/d280ae81-a1c9-4a50-9aa4-f98f1f9fd2c0"
},
{
"url": "https://github.com/phpipam/phpipam/commit/8fbf87e19a6098972abc7521554db5757c3edd89"
}
],
"source": {
"advisory": "d280ae81-a1c9-4a50-9aa4-f98f1f9fd2c0",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Reflected in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0677",
"datePublished": "2023-02-04T00:00:00.000Z",
"dateReserved": "2023-02-04T00:00:00.000Z",
"dateUpdated": "2025-03-26T14:45:44.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41357 (GCVE-0-2024-41357)
Vulnerability from cvelistv5
Published
2024-07-26 00:00
Modified
2025-04-16 14:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "phpipam",
"vendor": "phpipam",
"versions": [
{
"status": "affected",
"version": "1.6"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41357",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T15:23:20.604857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T15:24:15.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.381Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/4149"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T14:05:43.853Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/phpipam/phpipam/issues/4149"
},
{
"url": "https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2024-41357.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-41357",
"datePublished": "2024-07-26T00:00:00.000Z",
"dateReserved": "2024-07-18T00:00:00.000Z",
"dateUpdated": "2025-04-16T14:05:43.853Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10720 (GCVE-0-2024-10720)
Vulnerability from cvelistv5
Published
2025-03-20 10:10
Modified
2025-03-20 18:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability occurs in the 'Device Management' section under 'Administration' where an attacker can inject malicious scripts into the 'Name' and 'Description' fields when adding a new device type. This can lead to data theft, account compromise, distribution of malware, website defacement, and phishing attacks. The issue is fixed in version 1.7.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.7.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10720",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T17:48:24.354684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:20:08.111Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability occurs in the \u0027Device Management\u0027 section under \u0027Administration\u0027 where an attacker can inject malicious scripts into the \u0027Name\u0027 and \u0027Description\u0027 fields when adding a new device type. This can lead to data theft, account compromise, distribution of malware, website defacement, and phishing attacks. The issue is fixed in version 1.7.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:10:32.703Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/75e06e05-7f69-4938-a83c-1dcc98922188"
},
{
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
}
],
"source": {
"advisory": "75e06e05-7f69-4938-a83c-1dcc98922188",
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-10720",
"datePublished": "2025-03-20T10:10:32.703Z",
"dateReserved": "2024-11-01T23:15:33.745Z",
"dateUpdated": "2025-03-20T18:20:08.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1212 (GCVE-0-2023-1212)
Vulnerability from cvelistv5
Published
2023-03-06 00:00
Modified
2025-03-06 18:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository phpipam/phpipam prior to v1.5.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < v1.5.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:40:59.856Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/3d5199d6-9bb2-4f7b-bd81-bded704da499"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/78e0470100a6cb143fe9af2e336dce80e4620960"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1212",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T18:32:12.870447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T18:32:30.084Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "v1.5.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository phpipam/phpipam prior to v1.5.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-06T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/3d5199d6-9bb2-4f7b-bd81-bded704da499"
},
{
"url": "https://github.com/phpipam/phpipam/commit/78e0470100a6cb143fe9af2e336dce80e4620960"
}
],
"source": {
"advisory": "3d5199d6-9bb2-4f7b-bd81-bded704da499",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-1212",
"datePublished": "2023-03-06T00:00:00.000Z",
"dateReserved": "2023-03-06T00:00:00.000Z",
"dateUpdated": "2025-03-06T18:32:30.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23046 (GCVE-0-2022-23046)
Vulnerability from cvelistv5
Published
2022-01-19 20:38
Modified
2024-08-03 03:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- SQL injection
Summary
PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php
References
| ▼ | URL | Tags |
|---|---|---|
| https://fluidattacks.com/advisories/mercury/ | x_refsource_MISC | |
| https://github.com/phpipam/phpipam/releases/tag/v1.4.5 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:42.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/mercury/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PhpIPAM",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "1.4.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the \"subnet\" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-25T17:06:11",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fluidattacks.com/advisories/mercury/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "help@fluidattacks.com",
"ID": "CVE-2022-23046",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PhpIPAM",
"version": {
"version_data": [
{
"version_value": "1.4.4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the \"subnet\" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fluidattacks.com/advisories/mercury/",
"refsource": "MISC",
"url": "https://fluidattacks.com/advisories/mercury/"
},
{
"name": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5"
},
{
"name": "http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-23046",
"datePublished": "2022-01-19T20:38:56",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-08-03T03:28:42.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000860 (GCVE-0-2018-1000860)
Vulnerability from cvelistv5
Published
2018-12-20 16:00
Modified
2024-09-17 00:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh'><script>alert(1)</script>quqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance's domain..
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/issues/2338 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:47:57.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/2338"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-12-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh\u0027\u003e\u003cscript\u003ealert(1)\u003c/script\u003equqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance\u0027s domain.."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-20T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/issues/2338"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-12-05T14:18:48.097031",
"DATE_REQUESTED": "2018-11-29T17:16:48",
"ID": "CVE-2018-1000860",
"REQUESTER": "Disgruntled3lf@gmail.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh\u0027\u003e\u003cscript\u003ealert(1)\u003c/script\u003equqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance\u0027s domain.."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/2338",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/issues/2338"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000860",
"datePublished": "2018-12-20T16:00:00Z",
"dateReserved": "2018-12-20T00:00:00Z",
"dateUpdated": "2024-09-17T00:05:30.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24657 (GCVE-0-2023-24657)
Vulnerability from cvelistv5
Published
2023-03-08 00:00
Modified
2025-03-05 18:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpipam v1.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the closeClass parameter at /subnet-masks/popup.php.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:03:19.049Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/3738"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-24657",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T18:46:36.441308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T18:47:09.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpipam v1.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the closeClass parameter at /subnet-masks/popup.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-08T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/phpipam/phpipam/issues/3738"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-24657",
"datePublished": "2023-03-08T00:00:00.000Z",
"dateReserved": "2023-01-30T00:00:00.000Z",
"dateUpdated": "2025-03-05T18:47:09.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1000010 (GCVE-0-2019-1000010)
Vulnerability from cvelistv5
Published
2019-02-04 21:00
Modified
2024-08-05 03:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker. This vulnerability appears to have been fixed in 1.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/issues/2327 | x_refsource_MISC | |
| https://github.com/phpipam/phpipam/commit/fd37bd8fb2b9c306079db505e0e3fe79a096c31c | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.418Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/2327"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/fd37bd8fb2b9c306079db505e0e3fe79a096c31c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2019-01-22T00:00:00",
"datePublic": "2019-02-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker. This vulnerability appears to have been fixed in 1.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-04T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/issues/2327"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/commit/fd37bd8fb2b9c306079db505e0e3fe79a096c31c"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2019-01-22T21:21:10.018967",
"DATE_REQUESTED": "2019-01-15T04:36:09",
"ID": "CVE-2019-1000010",
"REQUESTER": "oscar@sakerhetskontoret.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker. This vulnerability appears to have been fixed in 1.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/2327",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/issues/2327"
},
{
"name": "https://github.com/phpipam/phpipam/commit/fd37bd8fb2b9c306079db505e0e3fe79a096c31c",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/commit/fd37bd8fb2b9c306079db505e0e3fe79a096c31c"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-1000010",
"datePublished": "2019-02-04T21:00:00",
"dateReserved": "2019-01-15T00:00:00",
"dateUpdated": "2024-08-05T03:00:19.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41355 (GCVE-0-2024-41355)
Vulnerability from cvelistv5
Published
2024-07-26 00:00
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/tools/request-ip/index.php.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "phpipam",
"vendor": "phpipam",
"versions": [
{
"status": "affected",
"version": "1.6"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41355",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T17:36:40.426438Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:37:38.299Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.655Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/4151"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/tools/request-ip/index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T15:58:36.784239",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/phpipam/phpipam/issues/4151"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-41355",
"datePublished": "2024-07-26T00:00:00",
"dateReserved": "2024-07-18T00:00:00",
"dateUpdated": "2024-08-02T04:46:52.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1225 (GCVE-0-2022-1225)
Vulnerability from cvelistv5
Published
2022-04-04 10:50
Modified
2024-08-02 23:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-266 - Incorrect Privilege Assignment
Summary
Incorrect Privilege Assignment in GitHub repository phpipam/phpipam prior to 1.4.6.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953 | x_refsource_MISC | |
| https://huntr.dev/bounties/49b44cfa-d142-4d79-b529-7805507169d2 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.4.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:24.394Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/49b44cfa-d142-4d79-b529-7805507169d2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect Privilege Assignment in GitHub repository phpipam/phpipam prior to 1.4.6."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-04T10:50:11",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/49b44cfa-d142-4d79-b529-7805507169d2"
}
],
"source": {
"advisory": "49b44cfa-d142-4d79-b529-7805507169d2",
"discovery": "EXTERNAL"
},
"title": "Incorrect Privilege Assignment in phpipam/phpipam",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1225",
"STATE": "PUBLIC",
"TITLE": "Incorrect Privilege Assignment in phpipam/phpipam"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "phpipam/phpipam",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.6"
}
]
}
}
]
},
"vendor_name": "phpipam"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect Privilege Assignment in GitHub repository phpipam/phpipam prior to 1.4.6."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-266 Incorrect Privilege Assignment"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"name": "https://huntr.dev/bounties/49b44cfa-d142-4d79-b529-7805507169d2",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/49b44cfa-d142-4d79-b529-7805507169d2"
}
]
},
"source": {
"advisory": "49b44cfa-d142-4d79-b529-7805507169d2",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1225",
"datePublished": "2022-04-04T10:50:11",
"dateReserved": "2022-04-04T00:00:00",
"dateUpdated": "2024-08-02T23:55:24.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1226 (GCVE-0-2022-1226)
Vulnerability from cvelistv5
Published
2024-11-15 10:57
Modified
2024-11-15 20:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.4.7 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.4.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1226",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T20:58:44.943024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T20:59:32.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.4.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim\u0027s browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T10:57:20.597Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/3fdcf653-fe26-4592-94a1-98ce664618ec"
},
{
"url": "https://github.com/phpipam/phpipam/commit/50e36b9e4fff5eaa51dc6e42bc684748da378002"
}
],
"source": {
"advisory": "3fdcf653-fe26-4592-94a1-98ce664618ec",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2022-1226",
"datePublished": "2024-11-15T10:57:20.597Z",
"dateReserved": "2022-04-04T10:41:01.205Z",
"dateUpdated": "2024-11-15T20:59:32.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41356 (GCVE-0-2024-41356)
Vulnerability from cvelistv5
Published
2024-07-26 00:00
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\firewall-zones\zones-edit-network.php.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "phpipam",
"vendor": "phpipam",
"versions": [
{
"status": "affected",
"version": "1.6"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41356",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-31T13:44:08.538763Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-31T13:46:32.945Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:51.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/4146"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\\admin\\firewall-zones\\zones-edit-network.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T15:59:21.006707",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/phpipam/phpipam/issues/4146"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-41356",
"datePublished": "2024-07-26T00:00:00",
"dateReserved": "2024-07-18T00:00:00",
"dateUpdated": "2024-08-02T04:46:51.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35438 (GCVE-0-2021-35438)
Vulnerability from cvelistv5
Published
2021-06-23 14:20
Modified
2024-08-04 00:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/issues/3351 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:40:45.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/3351"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-23T14:20:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/issues/3351"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-35438",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/3351",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/issues/3351"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35438",
"datePublished": "2021-06-23T14:20:08",
"dateReserved": "2021-06-23T00:00:00",
"dateUpdated": "2024-08-04T00:40:45.899Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16692 (GCVE-0-2019-16692)
Vulnerability from cvelistv5
Published
2019-09-22 14:58
Modified
2024-08-05 01:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/issues/2738 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/154651/phpIPAM-1.4-SQL-Injection.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:41.091Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/154651/phpIPAM-1.4-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-01T22:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/154651/phpIPAM-1.4-SQL-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16692",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/2738",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/issues/2738"
},
{
"name": "http://packetstormsecurity.com/files/154651/phpIPAM-1.4-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/154651/phpIPAM-1.4-SQL-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16692",
"datePublished": "2019-09-22T14:58:54",
"dateReserved": "2019-09-22T00:00:00",
"dateUpdated": "2024-08-05T01:17:41.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16694 (GCVE-0-2019-16694)
Vulnerability from cvelistv5
Published
2019-09-22 14:58
Modified
2024-08-05 01:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/issues/2738 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:41.108Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-22T14:58:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16694",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/2738",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16694",
"datePublished": "2019-09-22T14:58:36",
"dateReserved": "2019-09-22T00:00:00",
"dateUpdated": "2024-08-05T01:17:41.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16696 (GCVE-0-2019-16696)
Vulnerability from cvelistv5
Published
2019-09-22 14:58
Modified
2024-08-05 01:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/issues/2738 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:41.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-22T14:58:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16696",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/2738",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16696",
"datePublished": "2019-09-22T14:58:15",
"dateReserved": "2019-09-22T00:00:00",
"dateUpdated": "2024-08-05T01:17:41.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000870 (GCVE-0-2018-1000870)
Vulnerability from cvelistv5
Published
2018-12-20 17:00
Modified
2024-09-17 02:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
PHPipam version 1.3.2 and earlier contains a CWE-79 vulnerability in /app/admin/users/print-user.php that can result in Execute code in the victims browser. This attack appear to be exploitable via Attacker change theme parameter in user settings. Admin(Victim) views user in admin-panel and gets exploited.. This vulnerability appears to have been fixed in 1.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/commit/552fbb0fc7ecb84bda4a131b4f290a3de9980040 | x_refsource_MISC | |
| https://github.com/phpipam/phpipam/issues/2326 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:47:57.379Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/552fbb0fc7ecb84bda4a131b4f290a3de9980040"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/2326"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-12-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PHPipam version 1.3.2 and earlier contains a CWE-79 vulnerability in /app/admin/users/print-user.php that can result in Execute code in the victims browser. This attack appear to be exploitable via Attacker change theme parameter in user settings. Admin(Victim) views user in admin-panel and gets exploited.. This vulnerability appears to have been fixed in 1.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-20T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/commit/552fbb0fc7ecb84bda4a131b4f290a3de9980040"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/issues/2326"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-12-19T20:52:45.253944",
"DATE_REQUESTED": "2018-12-06T06:56:23",
"ID": "CVE-2018-1000870",
"REQUESTER": "oscar@sakerhetskontoret.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PHPipam version 1.3.2 and earlier contains a CWE-79 vulnerability in /app/admin/users/print-user.php that can result in Execute code in the victims browser. This attack appear to be exploitable via Attacker change theme parameter in user settings. Admin(Victim) views user in admin-panel and gets exploited.. This vulnerability appears to have been fixed in 1.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/commit/552fbb0fc7ecb84bda4a131b4f290a3de9980040",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/commit/552fbb0fc7ecb84bda4a131b4f290a3de9980040"
},
{
"name": "https://github.com/phpipam/phpipam/issues/2326",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/issues/2326"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000870",
"datePublished": "2018-12-20T17:00:00Z",
"dateReserved": "2018-12-20T00:00:00Z",
"dateUpdated": "2024-09-17T02:32:43.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10721 (GCVE-0-2024-10721)
Vulnerability from cvelistv5
Published
2025-03-20 10:11
Modified
2025-03-20 13:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which can be executed in the context of other users who view the affected page. The issue occurs in the circuits options page (https://demo.phpipam.net/tools/circuits/options/). An attacker can exploit this vulnerability to steal cookies, gain unauthorized access to user accounts, or redirect users to malicious websites. The vulnerability has been fixed in version 1.7.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.7.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10721",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T13:35:00.618607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T13:35:03.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/a440a003-84c9-47b5-bfbd-675564abe3d8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which can be executed in the context of other users who view the affected page. The issue occurs in the circuits options page (https://demo.phpipam.net/tools/circuits/options/). An attacker can exploit this vulnerability to steal cookies, gain unauthorized access to user accounts, or redirect users to malicious websites. The vulnerability has been fixed in version 1.7.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:11:07.493Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/a440a003-84c9-47b5-bfbd-675564abe3d8"
},
{
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
}
],
"source": {
"advisory": "a440a003-84c9-47b5-bfbd-675564abe3d8",
"discovery": "EXTERNAL"
},
"title": "Store XSS in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-10721",
"datePublished": "2025-03-20T10:11:07.493Z",
"dateReserved": "2024-11-01T23:19:03.595Z",
"dateUpdated": "2025-03-20T13:35:03.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10719 (GCVE-0-2024-10719)
Vulnerability from cvelistv5
Published
2025-03-20 10:10
Modified
2025-03-20 18:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in phpipam version 1.5.2, specifically in the circuits options functionality. This vulnerability allows an attacker to inject malicious scripts via the 'option' parameter in the POST request to /phpipam/app/admin/circuits/edit-options-submit.php. The injected script can be executed in the context of the user's browser, leading to potential cookie theft and end-user file disclosure. The issue is fixed in version 1.7.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.7.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10719",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T17:49:28.582065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:31:08.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in phpipam version 1.5.2, specifically in the circuits options functionality. This vulnerability allows an attacker to inject malicious scripts via the \u0027option\u0027 parameter in the POST request to /phpipam/app/admin/circuits/edit-options-submit.php. The injected script can be executed in the context of the user\u0027s browser, leading to potential cookie theft and end-user file disclosure. The issue is fixed in version 1.7.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:10:07.646Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/56aba8cb-4da1-44b4-8c4d-c5ba00ea3670"
},
{
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
}
],
"source": {
"advisory": "56aba8cb-4da1-44b4-8c4d-c5ba00ea3670",
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-10719",
"datePublished": "2025-03-20T10:10:07.646Z",
"dateReserved": "2024-11-01T23:09:03.739Z",
"dateUpdated": "2025-03-20T18:31:08.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16693 (GCVE-0-2019-16693)
Vulnerability from cvelistv5
Published
2019-09-22 14:58
Modified
2025-04-16 14:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:17:41.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T14:38:43.441Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/phpipam/phpipam/issues/2738"
},
{
"url": "https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2019-16693.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16693",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/2738",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16693",
"datePublished": "2019-09-22T14:58:45.000Z",
"dateReserved": "2019-09-22T00:00:00.000Z",
"dateUpdated": "2025-04-16T14:38:43.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6529 (GCVE-0-2015-6529)
Vulnerability from cvelistv5
Published
2015-08-20 20:00
Modified
2024-08-06 07:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in phpipam 1.1.010 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter to site/error.php or (2) ip parameter to site/tools/searchResults.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://hyp3rlinx.altervista.org/advisories/AS-PHPIPAM0812.txt | x_refsource_MISC | |
| http://packetstormsecurity.com/files/133055/phpipam-1.1.010-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/536188/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:22:22.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-PHPIPAM0812.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133055/phpipam-1.1.010-Cross-Site-Scripting.html"
},
{
"name": "20150812 phpipam-1.1.010 XSS Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536188/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-08-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in phpipam 1.1.010 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter to site/error.php or (2) ip parameter to site/tools/searchResults.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-PHPIPAM0812.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133055/phpipam-1.1.010-Cross-Site-Scripting.html"
},
{
"name": "20150812 phpipam-1.1.010 XSS Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536188/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6529",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in phpipam 1.1.010 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter to site/error.php or (2) ip parameter to site/tools/searchResults.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://hyp3rlinx.altervista.org/advisories/AS-PHPIPAM0812.txt",
"refsource": "MISC",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-PHPIPAM0812.txt"
},
{
"name": "http://packetstormsecurity.com/files/133055/phpipam-1.1.010-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133055/phpipam-1.1.010-Cross-Site-Scripting.html"
},
{
"name": "20150812 phpipam-1.1.010 XSS Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536188/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6529",
"datePublished": "2015-08-20T20:00:00",
"dateReserved": "2015-08-20T00:00:00",
"dateUpdated": "2024-08-06T07:22:22.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10718 (GCVE-0-2024-10718)
Vulnerability from cvelistv5
Published
2025-03-20 10:10
Modified
2025-03-20 18:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Summary
In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.7.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10718",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T17:52:22.081744Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:31:14.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-614",
"description": "CWE-614 Sensitive Cookie in HTTPS Session Without \u0027Secure\u0027 Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:10:07.285Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/725bce8f-328f-4fbc-acf5-46ea920cd3c1"
},
{
"url": "https://github.com/phpipam/phpipam/commit/ddf70ef6801442eb8b0be5eea829e470e653c70e"
}
],
"source": {
"advisory": "725bce8f-328f-4fbc-acf5-46ea920cd3c1",
"discovery": "EXTERNAL"
},
"title": "Cookie without Secure attribute in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-10718",
"datePublished": "2025-03-20T10:10:07.285Z",
"dateReserved": "2024-11-01T22:59:44.199Z",
"dateUpdated": "2025-03-20T18:31:14.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55093 (GCVE-0-2024-55093)
Vulnerability from cvelistv5
Published
2025-03-31 00:00
Modified
2025-03-31 13:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
phpIPAM through 1.7.3 has a reflected Cross-Site Scripting (XSS) vulnerability in the install scripts.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T13:41:03.298282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T13:41:23.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "phpIPAM",
"vendor": "phpIPAM",
"versions": [
{
"lessThanOrEqual": "1.7.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"versionEndIncluding": "1.7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM through 1.7.3 has a reflected Cross-Site Scripting (XSS) vulnerability in the install scripts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-31T12:38:18.422Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/phpipam/phpipam/commit/d0caaeba885364fd0521f094511c5d7b11f9da8f"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-55093",
"datePublished": "2025-03-31T00:00:00.000Z",
"dateReserved": "2024-12-06T00:00:00.000Z",
"dateUpdated": "2025-03-31T13:41:23.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-10329 (GCVE-0-2018-10329)
Vulnerability from cvelistv5
Published
2018-04-24 06:00
Modified
2024-09-16 16:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
app/tools/mac-lookup/index.php in phpIPAM 1.3.1 has Reflected XSS on /tools/mac-lookup/ via the mac parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/issues/1903 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:39:06.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/1903"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "app/tools/mac-lookup/index.php in phpIPAM 1.3.1 has Reflected XSS on /tools/mac-lookup/ via the mac parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-24T06:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/phpipam/phpipam/issues/1903"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-10329",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "app/tools/mac-lookup/index.php in phpIPAM 1.3.1 has Reflected XSS on /tools/mac-lookup/ via the mac parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/1903",
"refsource": "CONFIRM",
"url": "https://github.com/phpipam/phpipam/issues/1903"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-10329",
"datePublished": "2018-04-24T06:00:00Z",
"dateReserved": "2018-04-24T00:00:00Z",
"dateUpdated": "2024-09-16T16:53:15.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0787 (GCVE-0-2024-0787)
Vulnerability from cvelistv5
Published
2024-11-15 10:57
Modified
2024-11-15 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Summary
phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.7.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.70",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-0787",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T19:08:12.245566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T19:09:48.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the \u0027X-Forwarded-For\u0027 header. The issue lies in the \u0027get_user_ip()\u0027 function in \u0027class.Common.php\u0027 at lines 1044 and 1045, where the presence of the \u0027X-Forwarded-For\u0027 header is checked and used instead of \u0027REMOTE_ADDR\u0027. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T10:57:05.410Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/840cb582-1feb-43ab-9cc4-e4b5a63c5bab"
},
{
"url": "https://github.com/phpipam/phpipam/commit/55c2056068be9f1359e967fcff64db6b7f4d00b5"
}
],
"source": {
"advisory": "840cb582-1feb-43ab-9cc4-e4b5a63c5bab",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of Excessive Authentication Attempts in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-0787",
"datePublished": "2024-11-15T10:57:05.410Z",
"dateReserved": "2024-01-22T17:00:17.923Z",
"dateUpdated": "2024-11-15T19:09:48.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10725 (GCVE-0-2024-10725)
Vulnerability from cvelistv5
Published
2025-03-20 10:09
Modified
2025-03-20 18:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which are then executed in the context of other users who view the affected pages. The issue occurs when editing the NAT destination address, where user input is not properly sanitized. This can lead to data theft, account compromise, and other malicious activities. The vulnerability is fixed in version 1.7.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.7.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10725",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T17:51:28.365755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:57:09.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which are then executed in the context of other users who view the affected pages. The issue occurs when editing the NAT destination address, where user input is not properly sanitized. This can lead to data theft, account compromise, and other malicious activities. The vulnerability is fixed in version 1.7.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T10:09:15.972Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/343465fa-6dec-40af-a012-7b118e91a771"
},
{
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
}
],
"source": {
"advisory": "343465fa-6dec-40af-a012-7b118e91a771",
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting (XSS) in phpipam/phpipam"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-10725",
"datePublished": "2025-03-20T10:09:15.972Z",
"dateReserved": "2024-11-01T23:25:52.660Z",
"dateUpdated": "2025-03-20T18:57:09.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1223 (GCVE-0-2022-1223)
Vulnerability from cvelistv5
Published
2022-04-04 10:45
Modified
2024-08-02 23:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953 | x_refsource_MISC | |
| https://huntr.dev/bounties/baec4c23-2466-4b13-b3c0-eaf1d000d4ab | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpipam | phpipam/phpipam |
Version: unspecified < 1.4.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:24.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/baec4c23-2466-4b13-b3c0-eaf1d000d4ab"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "phpipam/phpipam",
"vendor": "phpipam",
"versions": [
{
"lessThan": "1.4.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-02T08:42:02.920Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/baec4c23-2466-4b13-b3c0-eaf1d000d4ab"
}
],
"source": {
"advisory": "baec4c23-2466-4b13-b3c0-eaf1d000d4ab",
"discovery": "EXTERNAL"
},
"title": "Incorrect Authorization in phpipam/phpipam",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1223",
"STATE": "PUBLIC",
"TITLE": "Improper Access Control in phpipam/phpipam"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "phpipam/phpipam",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.4.6"
}
]
}
}
]
},
"vendor_name": "phpipam"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper Access Control in GitHub repository phpipam/phpipam prior to 1.4.6."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"name": "https://huntr.dev/bounties/baec4c23-2466-4b13-b3c0-eaf1d000d4ab",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/baec4c23-2466-4b13-b3c0-eaf1d000d4ab"
}
]
},
"source": {
"advisory": "baec4c23-2466-4b13-b3c0-eaf1d000d4ab",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1223",
"datePublished": "2022-04-04T10:45:20",
"dateReserved": "2022-04-04T00:00:00",
"dateUpdated": "2024-08-02T23:55:24.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41354 (GCVE-0-2024-41354)
Vulnerability from cvelistv5
Published
2024-07-26 00:00
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/widgets/edit.php
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "phpipam",
"vendor": "phpipam",
"versions": [
{
"status": "affected",
"version": "1.6"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41354",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T15:20:43.163381Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T15:22:56.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.397Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/4150"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/widgets/edit.php"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T16:02:29.241764",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/phpipam/phpipam/issues/4150"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-41354",
"datePublished": "2024-07-26T00:00:00",
"dateReserved": "2024-07-18T00:00:00",
"dateUpdated": "2024-08-02T04:46:52.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000869 (GCVE-0-2018-1000869)
Vulnerability from cvelistv5
Published
2018-12-20 17:00
Modified
2024-09-16 19:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/issues/2344 | x_refsource_MISC | |
| https://github.com/phpipam/phpipam/commit/856b10ca85a24c04ed8651f4e13f867ec78a353d | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:47:57.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/2344"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/commit/856b10ca85a24c04ed8651f4e13f867ec78a353d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-12-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-20T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/issues/2344"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/commit/856b10ca85a24c04ed8651f4e13f867ec78a353d"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-12-19T20:52:45.252735",
"DATE_REQUESTED": "2018-12-05T07:39:06",
"ID": "CVE-2018-1000869",
"REQUESTER": "oscar@arnflo.se",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/2344",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/issues/2344"
},
{
"name": "https://github.com/phpipam/phpipam/commit/856b10ca85a24c04ed8651f4e13f867ec78a353d",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/commit/856b10ca85a24c04ed8651f4e13f867ec78a353d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000869",
"datePublished": "2018-12-20T17:00:00Z",
"dateReserved": "2018-12-20T00:00:00Z",
"dateUpdated": "2024-09-16T19:04:36.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13225 (GCVE-0-2020-13225)
Vulnerability from cvelistv5
Published
2020-05-20 03:05
Modified
2024-08-04 12:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/phpipam/phpipam/issues/3025 | x_refsource_MISC | |
| https://www.youtube.com/watch?v=SpFmM03Jl40 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:11:19.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/3025"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=SpFmM03Jl40"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-20T03:05:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/phpipam/phpipam/issues/3025"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.youtube.com/watch?v=SpFmM03Jl40"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13225",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/phpipam/phpipam/issues/3025",
"refsource": "MISC",
"url": "https://github.com/phpipam/phpipam/issues/3025"
},
{
"name": "https://www.youtube.com/watch?v=SpFmM03Jl40",
"refsource": "MISC",
"url": "https://www.youtube.com/watch?v=SpFmM03Jl40"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13225",
"datePublished": "2020-05-20T03:05:27",
"dateReserved": "2020-05-20T00:00:00",
"dateUpdated": "2024-08-04T12:11:19.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41353 (GCVE-0-2024-41353)
Vulnerability from cvelistv5
Published
2024-07-26 00:00
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\groups\edit-group.php
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "phpipam",
"vendor": "phpipam",
"versions": [
{
"status": "affected",
"version": "1.6"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41353",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T18:20:51.421861Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T18:22:01.528Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:51.601Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/phpipam/phpipam/issues/4147"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\\admin\\groups\\edit-group.php"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T16:03:57.536974",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/phpipam/phpipam/issues/4147"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-41353",
"datePublished": "2024-07-26T00:00:00",
"dateReserved": "2024-07-18T00:00:00",
"dateUpdated": "2024-08-02T04:46:51.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-03-08 06:15
Modified
2025-03-05 19:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
phpipam v1.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the closeClass parameter at /subnet-masks/popup.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/3738 | Exploit, Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/3738 | Exploit, Issue Tracking, Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "76AB84E7-3B77-4A35-B047-7DE3D2D77950",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpipam v1.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the closeClass parameter at /subnet-masks/popup.php."
}
],
"id": "CVE-2023-24657",
"lastModified": "2025-03-05T19:15:29.283",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-03-08T06:15:44.490",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/phpipam/phpipam/issues/3738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/phpipam/phpipam/issues/3738"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-05-28 20:34
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in phpipam version 1.5.2, specifically in the circuits options functionality. This vulnerability allows an attacker to inject malicious scripts via the 'option' parameter in the POST request to /phpipam/app/admin/circuits/edit-options-submit.php. The injected script can be executed in the context of the user's browser, leading to potential cookie theft and end-user file disclosure. The issue is fixed in version 1.7.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "896B6AA4-8068-41F4-ACD4-92893E5BB0AD",
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in phpipam version 1.5.2, specifically in the circuits options functionality. This vulnerability allows an attacker to inject malicious scripts via the \u0027option\u0027 parameter in the POST request to /phpipam/app/admin/circuits/edit-options-submit.php. The injected script can be executed in the context of the user\u0027s browser, leading to potential cookie theft and end-user file disclosure. The issue is fixed in version 1.7.0."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en la versi\u00f3n 1.5.2 de phpipam, espec\u00edficamente en la funcionalidad de opciones de circuitos. Esta vulnerabilidad permite a un atacante inyectar scripts maliciosos mediante el par\u00e1metro \u0027option\u0027 en la solicitud POST a /phpipam/app/admin/circuits/edit-options-submit.php. El script inyectado puede ejecutarse en el contexto del navegador del usuario, lo que puede provocar el robo de cookies y la divulgaci\u00f3n de archivos del usuario final. El problema se ha corregido en la versi\u00f3n 1.7.0."
}
],
"id": "CVE-2024-10719",
"lastModified": "2025-05-28T20:34:18.857",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:18.770",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/56aba8cb-4da1-44b4-8c4d-c5ba00ea3670"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-29 20:15
Modified
2025-04-16 14:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\import-export\import-load-data.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "76AB84E7-3B77-4A35-B047-7DE3D2D77950",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\\admin\\import-export\\import-load-data.php."
},
{
"lang": "es",
"value": "phpipam 1.6 es vulnerable a Cross Site Scripting (XSS) a trav\u00e9s de app\\admin\\import-export\\import-load-data.php."
}
],
"id": "CVE-2024-41358",
"lastModified": "2025-04-16T14:15:22.880",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-29T20:15:08.873",
"references": [
{
"source": "cve@mitre.org",
"url": "https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2024-41358.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/phpipam/phpipam/issues/4148"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-19 21:15
Modified
2024-11-21 06:47
Severity ?
Summary
PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php
References
| ▼ | URL | Tags | |
|---|---|---|---|
| help@fluidattacks.com | http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| help@fluidattacks.com | https://fluidattacks.com/advisories/mercury/ | Exploit, Third Party Advisory | |
| help@fluidattacks.com | https://github.com/phpipam/phpipam/releases/tag/v1.4.5 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fluidattacks.com/advisories/mercury/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/releases/tag/v1.4.5 | Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8740D50B-34B1-44D3-B6CF-93047F04D587",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the \"subnet\" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php"
},
{
"lang": "es",
"value": "PhpIPAM versi\u00f3n v1.4.4, permite a un usuario administrador autenticado inyectar sentencias SQL en el par\u00e1metro \"subnet\" mientras busca una subred por medio del archivo app/admin/routing/edit-bgp-mapping-search.php"
}
],
"id": "CVE-2022-23046",
"lastModified": "2024-11-21T06:47:52.730",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-19T21:15:09.120",
"references": [
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mercury/"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/mercury/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5"
}
],
"sourceIdentifier": "help@fluidattacks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-05-28 20:34
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2, specifically in the Subnet NAT translations section when editing the Destination address. This vulnerability allows an attacker to execute malicious code. The issue is fixed in version 1.7.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "896B6AA4-8068-41F4-ACD4-92893E5BB0AD",
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2, specifically in the Subnet NAT translations section when editing the Destination address. This vulnerability allows an attacker to execute malicious code. The issue is fixed in version 1.7.0."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en phpipam/phpipam versi\u00f3n 1.5.2, espec\u00edficamente en la secci\u00f3n de traducciones NAT de subred al editar la direcci\u00f3n de destino. Esta vulnerabilidad permite a un atacante ejecutar c\u00f3digo malicioso. El problema se ha corregido en la versi\u00f3n 1.7.0."
}
],
"id": "CVE-2024-10724",
"lastModified": "2025-05-28T20:34:37.933",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:19.390",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/0746e357-fcc7-44db-b8e7-857875c54999"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-14 20:15
Modified
2024-11-21 08:36
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability was found in phpipam 1.5.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Header Handler. The manipulation of the argument X-Forwarded-Host leads to open redirect. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239732.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | https://github.com/ctflearner/Vulnerability/blob/main/PHPIPAM/Open_Redirect.md | Exploit, Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.239732 | Permissions Required, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.239732 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/ctflearner/Vulnerability/blob/main/PHPIPAM/Open_Redirect.md | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?ctiid.239732 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.239732 | Permissions Required, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "44568465-4A70-496E-A435-AC8928B323E5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in phpipam 1.5.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Header Handler. The manipulation of the argument X-Forwarded-Host leads to open redirect. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239732."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en phpipam 1.5.1. Ha sido calificado como problem\u00e1tico. Una funci\u00f3n desconocida del componente Header Handler es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento X-Forwarded-Host conduce a una redirecci\u00f3n abierta. El ataque puede lanzarse de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-239732."
}
],
"id": "CVE-2023-4965",
"lastModified": "2024-11-21T08:36:21.470",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "MULTIPLE",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-14T20:15:12.880",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/ctflearner/Vulnerability/blob/main/PHPIPAM/Open_Redirect.md"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?ctiid.239732"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.239732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/ctflearner/Vulnerability/blob/main/PHPIPAM/Open_Redirect.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?ctiid.239732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.239732"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "cna@vuldb.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-22 15:15
Modified
2024-11-21 04:30
Severity ?
Summary
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/154651/phpIPAM-1.4-SQL-Injection.html | ||
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/2738 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/154651/phpIPAM-1.4-SQL-Injection.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/2738 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CE82745-8135-4737-967A-BCFE1EBF5353",
"versionEndIncluding": "1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used."
},
{
"lang": "es",
"value": "phpIPAM versi\u00f3n 1.4, permite una inyecci\u00f3n SQL por medio del par\u00e1metro table del archivo app/admin/custom-fields/filter-result.php cuando es usado action=add."
}
],
"id": "CVE-2019-16692",
"lastModified": "2024-11-21T04:30:59.440",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-22T15:15:13.827",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/154651/phpIPAM-1.4-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/154651/phpIPAM-1.4-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-02 20:15
Modified
2024-11-21 07:20
Severity ?
2.4 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability has been found in phpipam and classified as problematic. Affected by this vulnerability is an unknown functionality of the file app/admin/import-export/import-load-data.php of the component Import Preview Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.5.0 is able to address this issue. The name of the patch is 22c797c3583001211fe7d31bccd3f1d4aeeb3bbc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-212863.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | https://github.com/phpipam/phpipam/commit/22c797c3583001211fe7d31bccd3f1d4aeeb3bbc | Patch, Third Party Advisory | |
| cna@vuldb.com | https://github.com/phpipam/phpipam/releases/tag/v1.5.0 | Release Notes, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.212863 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/commit/22c797c3583001211fe7d31bccd3f1d4aeeb3bbc | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/releases/tag/v1.5.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.212863 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B04A9209-158A-44F9-AD2B-3FA87901A478",
"versionEndExcluding": "1.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in phpipam and classified as problematic. Affected by this vulnerability is an unknown functionality of the file app/admin/import-export/import-load-data.php of the component Import Preview Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.5.0 is able to address this issue. The name of the patch is 22c797c3583001211fe7d31bccd3f1d4aeeb3bbc. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-212863."
},
{
"lang": "es",
"value": "Una vulnerabilidad ha sido encontrada en phpipam y clasificada como problem\u00e1tica. Una funci\u00f3n desconocida del archivo app/admin/import-export/import-load-data.php del componente Import Preview Handler es afectada por esta vulnerabilidad. La manipulaci\u00f3n conduce a Cross-Site Scripting (XSS). El ataque se puede lanzar de forma remota. La actualizaci\u00f3n a la versi\u00f3n 1.5.0 puede solucionar este problema. El nombre del parche es 22c797c3583001211fe7d31bccd3f1d4aeeb3bbc. Se recomienda actualizar el componente afectado. El identificador asociado de esta vulnerabilidad es VDB-212863."
}
],
"id": "CVE-2022-3845",
"lastModified": "2024-11-21T07:20:21.310",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-02T20:15:11.537",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/22c797c3583001211fe7d31bccd3f1d4aeeb3bbc"
},
{
"source": "cna@vuldb.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.5.0"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.212863"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/22c797c3583001211fe7d31bccd3f1d4aeeb3bbc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.5.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.212863"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-707"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-02-04 21:29
Modified
2024-11-21 04:17
Severity ?
Summary
phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker. This vulnerability appears to have been fixed in 1.4.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/commit/fd37bd8fb2b9c306079db505e0e3fe79a096c31c | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/2327 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/commit/fd37bd8fb2b9c306079db505e0e3fe79a096c31c | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/2327 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "263E5E1B-4833-43F0-B563-30ADE0F25EE0",
"versionEndIncluding": "1.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker. This vulnerability appears to have been fixed in 1.4."
},
{
"lang": "es",
"value": "phpIPAM, en versiones 1.3.2 y anteriores, contiene una vulnerabilidad de Cross-Site Scripting (XSS) en subnet-scan-telnet.php que puede resultar en la ejecuci\u00f3n de c\u00f3digo en el navegador de la v\u00edctima. Este ataque parece ser explotable mediante una v\u00edctima que visita un enlace manipulado por un atacante. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 1.4."
}
],
"id": "CVE-2019-1000010",
"lastModified": "2024-11-21T04:17:40.150",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-02-04T21:29:01.003",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/fd37bd8fb2b9c306079db505e0e3fe79a096c31c"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2327"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/fd37bd8fb2b9c306079db505e0e3fe79a096c31c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2327"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-22 15:15
Modified
2024-11-21 04:31
Severity ?
Summary
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/2738 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/2738 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CE82745-8135-4737-967A-BCFE1EBF5353",
"versionEndIncluding": "1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used."
},
{
"lang": "es",
"value": "phpIPAM versi\u00f3n 1.4, permite una inyecci\u00f3n SQL por medio del par\u00e1metro table del archivo app/admin/custom-fields/edit.php cuando es usado action=add."
}
],
"id": "CVE-2019-16696",
"lastModified": "2024-11-21T04:31:00.030",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-22T15:15:14.077",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-04-01 20:35
Severity ?
Summary
A reflected cross-site scripting (XSS) vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. The vulnerability arises when the application receives data in an HTTP request and includes that data within the immediate response in an unsafe manner. This allows an attacker to execute arbitrary JavaScript in the context of the user's browser, potentially leading to full compromise of the user.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DEC3A383-0A9F-4B31-89F0-4DCDE1657A97",
"versionEndIncluding": "1.6",
"versionStartIncluding": "1.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross-site scripting (XSS) vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. The vulnerability arises when the application receives data in an HTTP request and includes that data within the immediate response in an unsafe manner. This allows an attacker to execute arbitrary JavaScript in the context of the user\u0027s browser, potentially leading to full compromise of the user."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) reflejado en phpipam/phpipam, versiones 1.5.0 a 1.6.0. Esta vulnerabilidad surge cuando la aplicaci\u00f3n recibe datos en una solicitud HTTP y los incluye en la respuesta inmediata de forma insegura. Esto permite a un atacante ejecutar JavaScript arbitrario en el contexto del navegador del usuario, lo que podr\u00eda comprometer su seguridad."
}
],
"id": "CVE-2024-10727",
"lastModified": "2025-04-01T20:35:36.647",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:19.633",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit"
],
"url": "https://huntr.com/bounties/259eed22-4d6f-4229-92e5-04674f302d5d"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit"
],
"url": "https://huntr.com/bounties/259eed22-4d6f-4229-92e5-04674f302d5d"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 17:15
Modified
2025-04-23 18:33
Severity ?
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\groups\edit-group.php
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/4147 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/4147 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "76AB84E7-3B77-4A35-B047-7DE3D2D77950",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\\admin\\groups\\edit-group.php"
},
{
"lang": "es",
"value": " phpipam 1.6 es vulnerable a Cross Site Scripting (XSS) a trav\u00e9s de app\\admin\\groups\\edit-group.php"
}
],
"id": "CVE-2024-41353",
"lastModified": "2025-04-23T18:33:56.773",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-26T17:15:12.457",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/4147"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/4147"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 16:15
Modified
2025-04-23 18:34
Severity ?
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2024-41357.md | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/4149 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/4149 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "76AB84E7-3B77-4A35-B047-7DE3D2D77950",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php."
},
{
"lang": "es",
"value": " phpipam 1.6 es vulnerable a Cross Site Scripting (XSS) a trav\u00e9s de /app/admin/powerDNS/record-edit.php."
}
],
"id": "CVE-2024-41357",
"lastModified": "2025-04-23T18:34:02.137",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-26T16:15:03.427",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2024-41357.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/4149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/4149"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-07 00:15
Modified
2024-11-21 07:38
Severity ?
Summary
SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46DA6678-DF2A-4E72-8CC6-C70CA607810B",
"versionEndExcluding": "1.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2."
}
],
"id": "CVE-2023-1211",
"lastModified": "2024-11-21T07:38:40.673",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-07T00:15:09.220",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/16e7a94fb69412e569ccf6f2fe0a1f847309c922"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/ed569124-2aeb-4b0d-a312-435460892afd"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/16e7a94fb69412e569ccf6f2fe0a1f847309c922"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/ed569124-2aeb-4b0d-a312-435460892afd"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-22 15:15
Modified
2025-04-16 15:15
Severity ?
Summary
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2019-16693.md | ||
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/2738 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/2738 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CE82745-8135-4737-967A-BCFE1EBF5353",
"versionEndIncluding": "1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used."
},
{
"lang": "es",
"value": "phpIPAM versi\u00f3n 1.4, permite una inyecci\u00f3n SQL por medio del par\u00e1metro table del archivo app/admin/custom-fields/order.php cuando es usado action=add."
}
],
"id": "CVE-2019-16693",
"lastModified": "2025-04-16T15:15:44.933",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-22T15:15:13.890",
"references": [
{
"source": "cve@mitre.org",
"url": "https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2019-16693.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-06-27 15:29
Severity ?
Summary
In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "896B6AA4-8068-41F4-ACD4-92893E5BB0AD",
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0."
},
{
"lang": "es",
"value": "En la versi\u00f3n 1.5.1 de phpipam/phpipam, el atributo \"Secure\" para cookies sensibles en sesiones HTTPS no est\u00e1 configurado. Esto podr\u00eda provocar que el agente de usuario env\u00ede dichas cookies en texto plano a trav\u00e9s de una sesi\u00f3n HTTP, lo que podr\u00eda exponer informaci\u00f3n sensible. El problema se solucion\u00f3 en la versi\u00f3n 1.7.0."
}
],
"id": "CVE-2024-10718",
"lastModified": "2025-06-27T15:29:49.470",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:18.650",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/ddf70ef6801442eb8b0be5eea829e470e653c70e"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/725bce8f-328f-4fbc-acf5-46ea920cd3c1"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-614"
}
],
"source": "security@huntr.dev",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-04 13:15
Modified
2024-11-21 07:37
Severity ?
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/phpipam/phpipam/commit/94ec73ff1d33926b75b811ded6f0b4a46088a7ec | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/b72d4f0c-8a96-4b40-a031-7d469c6ab93b | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/commit/94ec73ff1d33926b75b811ded6f0b4a46088a7ec | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/b72d4f0c-8a96-4b40-a031-7d469c6ab93b | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E6C6452-C85E-4BF3-B06C-1F81BB54FC5C",
"versionEndExcluding": "1.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1."
}
],
"id": "CVE-2023-0676",
"lastModified": "2024-11-21T07:37:36.503",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-04T13:15:12.147",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/94ec73ff1d33926b75b811ded6f0b4a46088a7ec"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/b72d4f0c-8a96-4b40-a031-7d469c6ab93b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/94ec73ff1d33926b75b811ded6f0b4a46088a7ec"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/b72d4f0c-8a96-4b40-a031-7d469c6ab93b"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-07 00:15
Modified
2024-11-21 07:38
Severity ?
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository phpipam/phpipam prior to v1.5.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46DA6678-DF2A-4E72-8CC6-C70CA607810B",
"versionEndExcluding": "1.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository phpipam/phpipam prior to v1.5.2."
}
],
"id": "CVE-2023-1212",
"lastModified": "2024-11-21T07:38:40.797",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 4.2,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-07T00:15:09.300",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/78e0470100a6cb143fe9af2e336dce80e4620960"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/3d5199d6-9bb2-4f7b-bd81-bded704da499"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/78e0470100a6cb143fe9af2e336dce80e4620960"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/3d5199d6-9bb2-4f7b-bd81-bded704da499"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-20 04:15
Modified
2024-11-21 05:00
Severity ?
Summary
phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/3025 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.youtube.com/watch?v=SpFmM03Jl40 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/3025 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.youtube.com/watch?v=SpFmM03Jl40 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3B073F95-66BA-4D4E-888F-51DC1B2B834A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget."
},
{
"lang": "es",
"value": "phpIPAM versi\u00f3n 1.4, contiene una vulnerabilidad de tipo cross site scripting (XSS) almacenado en el campo Edit User Instructions del widget User Instructions."
}
],
"id": "CVE-2020-13225",
"lastModified": "2024-11-21T05:00:50.223",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-20T04:15:10.427",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/3025"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.youtube.com/watch?v=SpFmM03Jl40"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/3025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.youtube.com/watch?v=SpFmM03Jl40"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-05-28 20:34
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the destination address field of the NAT tool, which can be executed when a user interacts with the field. The impact of this vulnerability includes the potential theft of user cookies, unauthorized access to user accounts, and redirection to malicious websites. The issue has been fixed in version 1.7.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "896B6AA4-8068-41F4-ACD4-92893E5BB0AD",
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the destination address field of the NAT tool, which can be executed when a user interacts with the field. The impact of this vulnerability includes the potential theft of user cookies, unauthorized access to user accounts, and redirection to malicious websites. The issue has been fixed in version 1.7.0."
},
{
"lang": "es",
"value": "Se descubri\u00f3 una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en phpipam/phpipam versi\u00f3n 1.5.2. Esta vulnerabilidad permite a un atacante inyectar scripts maliciosos en el campo de direcci\u00f3n de destino de la herramienta NAT, que pueden ejecutarse cuando un usuario interact\u00faa con dicho campo. El impacto de esta vulnerabilidad incluye el posible robo de cookies de usuario, acceso no autorizado a cuentas de usuario y redirecci\u00f3n a sitios web maliciosos. El problema se ha corregido en la versi\u00f3n 1.7.0."
}
],
"id": "CVE-2024-10723",
"lastModified": "2025-05-28T20:34:48.120",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:19.267",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/9af99057-e4f6-4d07-b3bb-3213b977801d"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-19 21:15
Modified
2024-11-21 06:47
Severity ?
Summary
PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| help@fluidattacks.com | https://fluidattacks.com/advisories/osbourne/ | Exploit, Third Party Advisory | |
| help@fluidattacks.com | https://github.com/phpipam/phpipam/releases/tag/v1.4.5 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://fluidattacks.com/advisories/osbourne/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/releases/tag/v1.4.5 | Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8740D50B-34B1-44D3-B6CF-93047F04D587",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the \"Site title\" parameter while updating the site settings. The \"Site title\" setting is injected in several locations which triggers the XSS."
},
{
"lang": "es",
"value": "PhpIPAM versi\u00f3n v1.4.4, permite a un usuario administrador autenticado inyectar c\u00f3digo JavaScript persistente dentro del par\u00e1metro \"Site title\" mientras es actualizada la configuraci\u00f3n del sitio. El par\u00e1metro \"Site title\" es inyectado en varias ubicaciones que desencadenan el ataque de tipo XSS"
}
],
"id": "CVE-2022-23045",
"lastModified": "2024-11-21T06:47:52.610",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-19T21:15:09.077",
"references": [
{
"source": "help@fluidattacks.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/osbourne/"
},
{
"source": "help@fluidattacks.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://fluidattacks.com/advisories/osbourne/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/v1.4.5"
}
],
"sourceIdentifier": "help@fluidattacks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 16:15
Modified
2025-04-23 18:34
Severity ?
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\firewall-zones\zones-edit-network.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/4146 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/4146 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "76AB84E7-3B77-4A35-B047-7DE3D2D77950",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\\admin\\firewall-zones\\zones-edit-network.php."
},
{
"lang": "es",
"value": " phpipam 1.6 es vulnerable a Cross Site Scripting (XSS) a trav\u00e9s de app\\admin\\firewall-zones\\zones-edit-network.php."
}
],
"id": "CVE-2024-41356",
"lastModified": "2025-04-23T18:34:06.133",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-26T16:15:03.357",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/4146"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/4146"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-02 13:15
Modified
2024-11-21 08:21
Severity ?
Summary
Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a crafted POST request.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46DA6678-DF2A-4E72-8CC6-C70CA607810B",
"versionEndExcluding": "1.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a crafted POST request."
},
{
"lang": "es",
"value": "Se descubri\u00f3 que Phpipam anterior a v1.5.2 conten\u00eda una vulnerabilidad de inyecci\u00f3n LDAP a trav\u00e9s del par\u00e1metro dname en /users/ad-search-result.php. Esta vulnerabilidad permite a los atacantes enumerar campos arbitrarios en el servidor LDAP y acceder a datos confidenciales mediante una solicitud POST manipulada."
}
],
"id": "CVE-2023-41580",
"lastModified": "2024-11-21T08:21:19.257",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-02T13:15:09.797",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ehtec/phpipam-exploit"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/c451085476074943eb4056941005c0b61db566c5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/ehtec/phpipam-exploit"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/c451085476074943eb4056941005c0b61db566c5"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-05-28 20:35
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability allows attackers to inject malicious scripts into the 'Description' field of custom fields in the 'IP RELATED MANAGEMENT' section. This can lead to data theft, account compromise, distribution of malware, website defacement, content manipulation, and phishing attacks. The issue is fixed in version 1.7.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "896B6AA4-8068-41F4-ACD4-92893E5BB0AD",
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability allows attackers to inject malicious scripts into the \u0027Description\u0027 field of custom fields in the \u0027IP RELATED MANAGEMENT\u0027 section. This can lead to data theft, account compromise, distribution of malware, website defacement, content manipulation, and phishing attacks. The issue is fixed in version 1.7.0."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en phpipam/phpipam versi\u00f3n 1.5.2. Esta vulnerabilidad permite a los atacantes inyectar scripts maliciosos en el campo \"Descripci\u00f3n\" de los campos personalizados de la secci\u00f3n \"GESTI\u00d3N DE IP\". Esto puede provocar robo de datos, vulneraci\u00f3n de cuentas, distribuci\u00f3n de malware, desfiguraci\u00f3n de sitios web, manipulaci\u00f3n de contenido y ataques de phishing. El problema est\u00e1 corregido en la versi\u00f3n 1.7.0."
}
],
"id": "CVE-2024-10722",
"lastModified": "2025-05-28T20:35:42.690",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:19.140",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/f0bc97b2-33a9-4b15-aa05-ff7c57624847"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-22 15:15
Modified
2024-11-21 04:30
Severity ?
Summary
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/2738 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/2738 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CE82745-8135-4737-967A-BCFE1EBF5353",
"versionEndIncluding": "1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used."
},
{
"lang": "es",
"value": "phpIPAM versi\u00f3n 1.4, permite una inyecci\u00f3n SQL por medio del par\u00e1metro table del archivo app/admin/custom-fields/edit-result.php cuando es usado action=add."
}
],
"id": "CVE-2019-16694",
"lastModified": "2024-11-21T04:30:59.750",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-22T15:15:13.953",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-04 11:15
Modified
2024-11-21 06:40
Severity ?
Summary
Incorrect Privilege Assignment in GitHub repository phpipam/phpipam prior to 1.4.6.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/49b44cfa-d142-4d79-b529-7805507169d2 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/49b44cfa-d142-4d79-b529-7805507169d2 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18904167-103A-48E2-A8A6-075986A292B9",
"versionEndExcluding": "1.4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect Privilege Assignment in GitHub repository phpipam/phpipam prior to 1.4.6."
},
{
"lang": "es",
"value": "Una Asignaci\u00f3n Incorrecta de Privilegios en el repositorio de GitHub phpipam/phpipam versiones anteriores a 1.4.6"
}
],
"id": "CVE-2022-1225",
"lastModified": "2024-11-21T06:40:17.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-04T11:15:08.123",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/49b44cfa-d142-4d79-b529-7805507169d2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/49b44cfa-d142-4d79-b529-7805507169d2"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-266"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 17:15
Modified
2025-04-23 18:33
Severity ?
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/widgets/edit.php
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/4150 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/4150 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "76AB84E7-3B77-4A35-B047-7DE3D2D77950",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/widgets/edit.php"
},
{
"lang": "es",
"value": "phpipam 1.6 es vulnerable a Cross Site Scripting (XSS) a trav\u00e9s de /app/admin/widgets/edit.php"
}
],
"id": "CVE-2024-41354",
"lastModified": "2025-04-23T18:33:52.397",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-26T17:15:12.513",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/4150"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/4150"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-31 13:15
Modified
2025-04-23 18:32
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
phpIPAM through 1.7.3 has a reflected Cross-Site Scripting (XSS) vulnerability in the install scripts.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ECCAE1A5-738E-4649-BAF4-ACC14A8562BA",
"versionEndIncluding": "1.7.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM through 1.7.3 has a reflected Cross-Site Scripting (XSS) vulnerability in the install scripts."
},
{
"lang": "es",
"value": "Desde phpIPAM hasta la versi\u00f3n 1.7.3 se refleja una vulnerabilidad de tipo Cross-Site Scripting (XSS) en los scripts de instalaci\u00f3n."
}
],
"id": "CVE-2024-55093",
"lastModified": "2025-04-23T18:32:54.217",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-31T13:15:42.160",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/d0caaeba885364fd0521f094511c5d7b11f9da8f"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-26 16:15
Modified
2025-04-23 18:34
Severity ?
Summary
phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/tools/request-ip/index.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/4151 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/4151 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "76AB84E7-3B77-4A35-B047-7DE3D2D77950",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/tools/request-ip/index.php."
},
{
"lang": "es",
"value": " phpipam 1.6 es vulnerable a Cross Site Scripting (XSS) a trav\u00e9s de /app/tools/request-ip/index.php."
}
],
"id": "CVE-2024-41355",
"lastModified": "2025-04-23T18:34:08.960",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-26T16:15:03.277",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/4151"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/4151"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-04 11:15
Modified
2024-11-21 06:40
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/baec4c23-2466-4b13-b3c0-eaf1d000d4ab | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/baec4c23-2466-4b13-b3c0-eaf1d000d4ab | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18904167-103A-48E2-A8A6-075986A292B9",
"versionEndExcluding": "1.4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.\n\n"
},
{
"lang": "es",
"value": "Un Control de acceso Inapropiado en el repositorio de GitHub phpipam/phpipam versiones anteriores a 1.4.6"
}
],
"id": "CVE-2022-1223",
"lastModified": "2024-11-21T06:40:17.290",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-04T11:15:08.000",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/baec4c23-2466-4b13-b3c0-eaf1d000d4ab"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/baec4c23-2466-4b13-b3c0-eaf1d000d4ab"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security@huntr.dev",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-23 15:15
Modified
2024-11-21 06:12
Severity ?
Summary
phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/3351 | Exploit, Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/3351 | Exploit, Issue Tracking, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7DBADC84-B58D-4CEE-94CC-431A4833DA9D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator."
},
{
"lang": "es",
"value": "phpIPAM versi\u00f3n 1.4.3, permite un ataque de tipo XSS reflejado por medio de los archivos app/dashboard/widgets/ipcalc-result.php y app/tools/ip-calculator/result.php de la calculadora de IP"
}
],
"id": "CVE-2021-35438",
"lastModified": "2024-11-21T06:12:18.337",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-23T15:15:08.627",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/3351"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/3351"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-25 16:15
Modified
2024-11-21 06:34
Severity ?
Summary
phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8740D50B-34B1-44D3-B6CF-93047F04D587",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality."
},
{
"lang": "es",
"value": "phpIPAM versi\u00f3n 1.4.4 permite un ataque de tipo XSS reflejado y de tipo CSRF por medio de el archivo app/admin/subnets/find_free_section_subnets.php de la funcionalidad subnets"
}
],
"id": "CVE-2021-46426",
"lastModified": "2024-11-21T06:34:03.890",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-25T16:15:09.363",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167227/PHPIPAM-1.4.4-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/May/43"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/phpipam"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://www.tempest.com.br"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167227/PHPIPAM-1.4.4-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/May/43"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/phpipam"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://www.tempest.com.br"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-04 13:15
Modified
2024-11-21 07:37
Severity ?
Summary
Missing Authorization in GitHub repository phpipam/phpipam prior to v1.5.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/phpipam/phpipam/commit/1960bd24e8a55796da066237cf11272c44bb1cc4 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/8d299377-be00-46dc-bebe-3d439127982f | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/commit/1960bd24e8a55796da066237cf11272c44bb1cc4 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/8d299377-be00-46dc-bebe-3d439127982f | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E6C6452-C85E-4BF3-B06C-1F81BB54FC5C",
"versionEndExcluding": "1.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing Authorization in GitHub repository phpipam/phpipam prior to v1.5.1."
}
],
"id": "CVE-2023-0678",
"lastModified": "2024-11-21T07:37:36.750",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-04T13:15:12.713",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/1960bd24e8a55796da066237cf11272c44bb1cc4"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/8d299377-be00-46dc-bebe-3d439127982f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/1960bd24e8a55796da066237cf11272c44bb1cc4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/8d299377-be00-46dc-bebe-3d439127982f"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security@huntr.dev",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-12-20 17:29
Modified
2024-11-21 03:40
Severity ?
Summary
PHPipam version 1.3.2 and earlier contains a CWE-79 vulnerability in /app/admin/users/print-user.php that can result in Execute code in the victims browser. This attack appear to be exploitable via Attacker change theme parameter in user settings. Admin(Victim) views user in admin-panel and gets exploited.. This vulnerability appears to have been fixed in 1.4.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/commit/552fbb0fc7ecb84bda4a131b4f290a3de9980040 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/2326 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/commit/552fbb0fc7ecb84bda4a131b4f290a3de9980040 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/2326 | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "263E5E1B-4833-43F0-B563-30ADE0F25EE0",
"versionEndIncluding": "1.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHPipam version 1.3.2 and earlier contains a CWE-79 vulnerability in /app/admin/users/print-user.php that can result in Execute code in the victims browser. This attack appear to be exploitable via Attacker change theme parameter in user settings. Admin(Victim) views user in admin-panel and gets exploited.. This vulnerability appears to have been fixed in 1.4."
},
{
"lang": "es",
"value": "PHPipam, en versiones 1.3.2 y anteriores, contiene una vulnerabilidad CWE-79 en /app/admin/users/print-user.php que puede resultar en la ejecuci\u00f3n de c\u00f3digo en el navegador de la v\u00edctima. El ataque parece ser explotable mediante un atacante que cambie el par\u00e1metro theme en las opciones de usuario. El administrador (v\u00edctima) visualiza al usuario en el panel de control y la vulnerabilidad es explotada. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 1.4."
}
],
"id": "CVE-2018-1000870",
"lastModified": "2024-11-21T03:40:32.487",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-12-20T17:29:00.783",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/552fbb0fc7ecb84bda4a131b4f290a3de9980040"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/552fbb0fc7ecb84bda4a131b4f290a3de9980040"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2326"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-04-21 21:29
Modified
2024-11-21 03:14
Severity ?
Summary
app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/1521 | Third Party Advisory | |
| cve@mitre.org | https://github.com/phpipam/phpipam/releases/tag/1.3.1 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/1521 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/releases/tag/1.3.1 | Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D438BFDC-ED6C-4E18-A5A1-A8ADA73120AA",
"versionEndExcluding": "1.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter."
},
{
"lang": "es",
"value": "app/sections/user-menu.php en phpIPAM, en versiones anteriores a la 1.3.1 tiene Cross-Site Scripting (XSS) mediante el par\u00e1metro ip."
}
],
"id": "CVE-2017-15640",
"lastModified": "2024-11-21T03:14:56.030",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-21T21:29:00.227",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/1521"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/1.3.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/1521"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/releases/tag/1.3.1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-04 11:15
Modified
2024-11-21 06:40
Severity ?
Summary
Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/cd9e1508-5682-427e-a921-14b4f520b85a | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/cd9e1508-5682-427e-a921-14b4f520b85a | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18904167-103A-48E2-A8A6-075986A292B9",
"versionEndExcluding": "1.4.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6."
},
{
"lang": "es",
"value": "Una Autorizaci\u00f3n Inapropiada en el repositorio de GitHub phpipam/phpipam versiones anteriores a 1.4.6"
}
],
"id": "CVE-2022-1224",
"lastModified": "2024-11-21T06:40:17.437",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-04T11:15:08.067",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/cd9e1508-5682-427e-a921-14b4f520b85a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/cd9e1508-5682-427e-a921-14b4f520b85a"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security@huntr.dev",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-15 11:15
Modified
2024-11-19 15:53
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "896B6AA4-8068-41F4-ACD4-92893E5BB0AD",
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the \u0027X-Forwarded-For\u0027 header. The issue lies in the \u0027get_user_ip()\u0027 function in \u0027class.Common.php\u0027 at lines 1044 and 1045, where the presence of the \u0027X-Forwarded-For\u0027 header is checked and used instead of \u0027REMOTE_ADDR\u0027. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0."
},
{
"lang": "es",
"value": "La versi\u00f3n 1.5.1 de phpIPAM contiene una vulnerabilidad que permite a un atacante eludir el mecanismo de bloqueo de direcciones IP para obtener por fuerza bruta las contrase\u00f1as de los usuarios mediante el encabezado \u0027X-Forwarded-For\u0027. El problema se encuentra en la funci\u00f3n \u0027get_user_ip()\u0027 de \u0027class.Common.php\u0027 en las l\u00edneas 1044 y 1045, donde se comprueba la presencia del encabezado \u0027X-Forwarded-For\u0027 y se utiliza en lugar de \u0027REMOTE_ADDR\u0027. Esta vulnerabilidad permite a los atacantes realizar ataques por fuerza bruta en las cuentas de usuario, incluida la cuenta de administrador. El problema se ha corregido en la versi\u00f3n 1.7.0."
}
],
"id": "CVE-2024-0787",
"lastModified": "2024-11-19T15:53:59.093",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-11-15T11:15:09.213",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/55c2056068be9f1359e967fcff64db6b7f4d00b5"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/840cb582-1feb-43ab-9cc4-e4b5a63c5bab"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-22 15:15
Modified
2024-11-21 04:30
Severity ?
Summary
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/2738 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/2738 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CE82745-8135-4737-967A-BCFE1EBF5353",
"versionEndIncluding": "1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used."
},
{
"lang": "es",
"value": "phpIPAM versi\u00f3n 1.4, permite una inyecci\u00f3n SQL por medio del par\u00e1metro table del archivo app/admin/custom-fields/filter.php cuando es usado action=add."
}
],
"id": "CVE-2019-16695",
"lastModified": "2024-11-21T04:30:59.893",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-22T15:15:14.017",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2738"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-15 11:15
Modified
2024-11-19 15:30
Severity ?
Summary
A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "423B42AB-F118-4DFE-89ED-2480875972AE",
"versionEndExcluding": "1.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim\u0027s browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) en las versiones de phpipam/phpipam anteriores a la 1.4.7 permite a los atacantes ejecutar c\u00f3digo JavaScript arbitrario en el navegador de una v\u00edctima. Esta vulnerabilidad afecta a la funci\u00f3n de importaci\u00f3n de conjuntos de datos mediante la carga de un archivo de hoja de c\u00e1lculo. Los endpoints afectados incluyen import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php e import-l2dom-preview.php. La vulnerabilidad se puede explotar cargando un archivo de hoja de c\u00e1lculo especialmente manipulado que contenga payloads de JavaScript maliciosaos, que luego se ejecutan en el contexto del navegador de la v\u00edctima. Esto puede provocar la desfiguraci\u00f3n de sitios web, la ejecuci\u00f3n de c\u00f3digo JavaScript malicioso, el robo de cookies de usuario y el acceso no autorizado a las cuentas de usuario."
}
],
"id": "CVE-2022-1226",
"lastModified": "2024-11-19T15:30:53.477",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 0.9,
"impactScore": 2.5,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-15T11:15:07.527",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/50e36b9e4fff5eaa51dc6e42bc684748da378002"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/3fdcf653-fe26-4592-94a1-98ce664618ec"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-04-24 06:29
Modified
2024-11-21 03:41
Severity ?
Summary
app/tools/mac-lookup/index.php in phpIPAM 1.3.1 has Reflected XSS on /tools/mac-lookup/ via the mac parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/1903 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/1903 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "11F2E39D-A092-4E6F-B0A0-AF9D0682D1F6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "app/tools/mac-lookup/index.php in phpIPAM 1.3.1 has Reflected XSS on /tools/mac-lookup/ via the mac parameter."
},
{
"lang": "es",
"value": "app/tools/mac-lookup/index.php en phpIPAM 1.3.1 tiene Cross-Site Scripting (XSS) reflejado en /tools/mac-lookup/ mediante el par\u00e1metro mac."
}
],
"id": "CVE-2018-10329",
"lastModified": "2024-11-21T03:41:14.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-04-24T06:29:00.677",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/1903"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/1903"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-05 20:59
Modified
2025-04-20 01:37
Severity ?
Summary
Multiple Cross-Site Scripting (XSS) issues were discovered in phpipam 1.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (instructions in app/admin/instructions/preview.php; subnetId in app/admin/powerDNS/refresh-ptr-records.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C1A0507-AFF1-40E0-A9EE-8F90BFF51833",
"versionEndIncluding": "1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Scripting (XSS) issues were discovered in phpipam 1.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (instructions in app/admin/instructions/preview.php; subnetId in app/admin/powerDNS/refresh-ptr-records.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website."
},
{
"lang": "es",
"value": "M\u00faltiples problemas de XSS han sido descubiertos en phpipam 1.2. Las vulnerabilidades existen debido a filtraci\u00f3n insuficiente de datos suministrados por el usuario a varias p\u00e1ginas (instrucciones en app/admin/instructions/preview.php; subnetId en app/admin/powerDNS/refresh-ptr-records.php). Un atacante podr\u00eda ejecutar c\u00f3digo HTML y scrip arbitrario en el navegador en el contexto del sitio web vulnerable."
}
],
"id": "CVE-2017-6481",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-05T20:59:00.307",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/96573"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/992"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/96573"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/992"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-05-28 20:34
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which are then executed in the context of other users who view the affected pages. The issue occurs when editing the NAT destination address, where user input is not properly sanitized. This can lead to data theft, account compromise, and other malicious activities. The vulnerability is fixed in version 1.7.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "896B6AA4-8068-41F4-ACD4-92893E5BB0AD",
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which are then executed in the context of other users who view the affected pages. The issue occurs when editing the NAT destination address, where user input is not properly sanitized. This can lead to data theft, account compromise, and other malicious activities. The vulnerability is fixed in version 1.7.0."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en phpipam/phpipam versi\u00f3n 1.5.2. Esta vulnerabilidad permite a un atacante inyectar scripts maliciosos en la aplicaci\u00f3n, que se ejecutan en el contexto de otros usuarios que visitan las p\u00e1ginas afectadas. El problema se produce al editar la direcci\u00f3n de destino NAT, donde la entrada del usuario no se depura correctamente. Esto puede provocar el robo de datos, la vulneraci\u00f3n de cuentas y otras actividades maliciosas. La vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.7.0."
}
],
"id": "CVE-2024-10725",
"lastModified": "2025-05-28T20:34:29.100",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:19.513",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/343465fa-6dec-40af-a012-7b118e91a771"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-03 16:15
Modified
2024-11-21 07:23
Severity ?
Summary
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://gist.github.com/enferas/7acd9636cc221bbf61d51425ab91ef01 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gist.github.com/enferas/7acd9636cc221bbf61d51425ab91ef01 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6450C86E-E3DE-47FB-A6E4-4E101E4BC56F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php."
},
{
"lang": "es",
"value": "Se ha detectado que phpipam versi\u00f3n v1.5.0, contiene una vulnerabilidad de inyecci\u00f3n de encabezado por medio del componente /admin/subnets/ripe-query.php"
}
],
"id": "CVE-2022-41443",
"lastModified": "2024-11-21T07:23:14.637",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-03T16:15:13.937",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/enferas/7acd9636cc221bbf61d51425ab91ef01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/enferas/7acd9636cc221bbf61d51425ab91ef01"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-12-20 17:29
Modified
2024-11-21 03:40
Severity ?
Summary
phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/commit/856b10ca85a24c04ed8651f4e13f867ec78a353d | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/2344 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/commit/856b10ca85a24c04ed8651f4e13f867ec78a353d | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/2344 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8C72849A-ACD1-453F-87A1-FE3A28E84D11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4."
},
{
"lang": "es",
"value": "phpIPAM 1.3.2 contiene una vulnerabilidad CWE-89 en /app/admin/nat/item-add-submit.php que puede resultar en una inyecci\u00f3n SQL. El ataque parece ser explotable mediante un usuario malicioso que explote la vulnerabilidad para acceder a informaci\u00f3n a la que no puede acceder. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 1.4."
}
],
"id": "CVE-2018-1000869",
"lastModified": "2024-11-21T03:40:32.327",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-12-20T17:29:00.737",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/856b10ca85a24c04ed8651f4e13f867ec78a353d"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2344"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/856b10ca85a24c04ed8651f4e13f867ec78a353d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2344"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-12-20 17:29
Modified
2024-11-21 03:40
Severity ?
Summary
phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh'><script>alert(1)</script>quqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance's domain..
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/phpipam/phpipam/issues/2338 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/issues/2338 | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "263E5E1B-4833-43F0-B563-30ADE0F25EE0",
"versionEndIncluding": "1.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpipam version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in The value of the phpipamredirect cookie is copied into an HTML tag on the login page encapsulated in single quotes. Editing the value of the cookie to r5zkh\u0027\u003e\u003cscript\u003ealert(1)\u003c/script\u003equqtl exploits an XSS vulnerability. that can result in Arbitrary code executes in victims browser.. This attack appear to be exploitable via Needs to be chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance\u0027s domain.."
},
{
"lang": "es",
"value": "phpipam, en versiones 1.3.2 y anteriores, contiene una vulnerabilidad Cross-Site Scripting (XSS). El valor de la cookie phpipamredirect se copia en una etiqueta HTML en la p\u00e1gina de inicio de sesi\u00f3n encapsulada entre comillas simples. Editar el valor de la cookie r5zkh\u0027\u003equqtl explota una vulnerabilidad Cross-Site Scripting (XSS) que puede resultar en la ejecuci\u00f3n de c\u00f3digo arbitrario en el navegador de la v\u00edctima. Este ataque debe encadenarse con otro exploit que permita al atacante configurar o modificar una cookie para el dominio de la instancia phpIPAM."
}
],
"id": "CVE-2018-1000860",
"lastModified": "2024-11-21T03:40:30.883",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-12-20T17:29:00.517",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2338"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/issues/2338"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-08-20 20:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in phpipam 1.1.010 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter to site/error.php or (2) ip parameter to site/tools/searchResults.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.1.010:*:*:*:*:*:*:*",
"matchCriteriaId": "5AED069C-E4FD-4976-BDA7-A0BA3FF45F7E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in phpipam 1.1.010 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter to site/error.php or (2) ip parameter to site/tools/searchResults.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en phpipam 1.1.010, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de (1) el par\u00e1metro section de site/error.php o (2) el par\u00e1metro ip de site/tools/searchResults.php."
}
],
"id": "CVE-2015-6529",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-08-20T20:59:02.850",
"references": [
{
"source": "cve@mitre.org",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-PHPIPAM0812.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/133055/phpipam-1.1.010-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/536188/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-PHPIPAM0812.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/133055/phpipam-1.1.010-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/536188/100/0/threaded"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-04-01 20:35
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which can be executed in the context of other users who view the affected page. The issue occurs in the circuits options page (https://demo.phpipam.net/tools/circuits/options/). An attacker can exploit this vulnerability to steal cookies, gain unauthorized access to user accounts, or redirect users to malicious websites. The vulnerability has been fixed in version 1.7.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "94A1B7BC-541E-4793-ABCF-B38C69F6EA6B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which can be executed in the context of other users who view the affected page. The issue occurs in the circuits options page (https://demo.phpipam.net/tools/circuits/options/). An attacker can exploit this vulnerability to steal cookies, gain unauthorized access to user accounts, or redirect users to malicious websites. The vulnerability has been fixed in version 1.7.0."
},
{
"lang": "es",
"value": "Se descubri\u00f3 una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en phpipam/phpipam versi\u00f3n 1.5.2. Esta vulnerabilidad permite a un atacante inyectar scripts maliciosos en la aplicaci\u00f3n, que pueden ejecutarse en el contexto de otros usuarios que visitan la p\u00e1gina afectada. El problema ocurre en la p\u00e1gina de opciones de circuitos (https://demo.phpipam.net/tools/circuits/options/). Un atacante puede explotar esta vulnerabilidad para robar cookies, obtener acceso no autorizado a cuentas de usuario o redirigir a usuarios a sitios web maliciosos. La vulnerabilidad se ha corregido en la versi\u00f3n 1.7.0."
}
],
"id": "CVE-2024-10721",
"lastModified": "2025-04-01T20:35:45.840",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:19.020",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit"
],
"url": "https://huntr.com/bounties/a440a003-84c9-47b5-bfbd-675564abe3d8"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit"
],
"url": "https://huntr.com/bounties/a440a003-84c9-47b5-bfbd-675564abe3d8"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-04 17:15
Modified
2024-11-21 05:38
Severity ?
Summary
An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change the password of any user/admin, to escalate privileges, and to gain access to more data and functionality. This issue exists due to the lack of a requirement to provide the old password, and the lack of security tokens.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://pastebin.com/ZPECbgZb | Exploit, Third Party Advisory | |
| cve@mitre.org | https://phpipam.net/news/phpipam-v1-5-released/ | Broken Link, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pastebin.com/ZPECbgZb | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://phpipam.net/news/phpipam-v1-5-released/ | Broken Link, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3B073F95-66BA-4D4E-888F-51DC1B2B834A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change the password of any user/admin, to escalate privileges, and to gain access to more data and functionality. This issue exists due to the lack of a requirement to provide the old password, and the lack of security tokens."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en el archivo tools/pass-change/result.php en phpIPAM versi\u00f3n 1.4., un ataque de tipo CSRF puede ser usado para cambiar la contrase\u00f1a de cualquier usuario/administrador, para escalar privilegios y para conseguir acceso a m\u00e1s datos y funcionalidad. Este problema se presenta debido a la falta de un requerimiento para proveer la antigua contrase\u00f1a y a la falta de tokens de seguridad."
}
],
"id": "CVE-2020-7988",
"lastModified": "2024-11-21T05:38:08.880",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-04T17:15:11.830",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://pastebin.com/ZPECbgZb"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://phpipam.net/news/phpipam-v1-5-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://pastebin.com/ZPECbgZb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://phpipam.net/news/phpipam-v1-5-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-20 10:15
Modified
2025-05-28 20:36
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability occurs in the 'Device Management' section under 'Administration' where an attacker can inject malicious scripts into the 'Name' and 'Description' fields when adding a new device type. This can lead to data theft, account compromise, distribution of malware, website defacement, and phishing attacks. The issue is fixed in version 1.7.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "896B6AA4-8068-41F4-ACD4-92893E5BB0AD",
"versionEndExcluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability occurs in the \u0027Device Management\u0027 section under \u0027Administration\u0027 where an attacker can inject malicious scripts into the \u0027Name\u0027 and \u0027Description\u0027 fields when adding a new device type. This can lead to data theft, account compromise, distribution of malware, website defacement, and phishing attacks. The issue is fixed in version 1.7.0."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en phpipam/phpipam versi\u00f3n 1.5.2. La vulnerabilidad se produce en la secci\u00f3n \"Administraci\u00f3n de dispositivos\", dentro de \"Administraci\u00f3n\", donde un atacante puede inyectar scripts maliciosos en los campos \"Nombre\" y \"Descripci\u00f3n\" al a\u00f1adir un nuevo tipo de dispositivo. Esto puede provocar robo de datos, vulneraci\u00f3n de cuentas, distribuci\u00f3n de malware, desfiguraci\u00f3n de sitios web y ataques de phishing. El problema est\u00e1 corregido en la versi\u00f3n 1.7.0."
}
],
"id": "CVE-2024-10720",
"lastModified": "2025-05-28T20:36:18.510",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 6.0,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-03-20T10:15:18.897",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch"
],
"url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://huntr.com/bounties/75e06e05-7f69-4938-a83c-1dcc98922188"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-04 13:15
Modified
2024-11-21 07:37
Severity ?
Summary
Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to v1.5.1.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/phpipam/phpipam/commit/8fbf87e19a6098972abc7521554db5757c3edd89 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/d280ae81-a1c9-4a50-9aa4-f98f1f9fd2c0 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/phpipam/phpipam/commit/8fbf87e19a6098972abc7521554db5757c3edd89 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/d280ae81-a1c9-4a50-9aa4-f98f1f9fd2c0 | Exploit, Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E6C6452-C85E-4BF3-B06C-1F81BB54FC5C",
"versionEndExcluding": "1.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to v1.5.1."
}
],
"id": "CVE-2023-0677",
"lastModified": "2024-11-21T07:37:36.633",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 0.8,
"impactScore": 3.6,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-04T13:15:12.633",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/8fbf87e19a6098972abc7521554db5757c3edd89"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/d280ae81-a1c9-4a50-9aa4-f98f1f9fd2c0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/phpipam/phpipam/commit/8fbf87e19a6098972abc7521554db5757c3edd89"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/d280ae81-a1c9-4a50-9aa4-f98f1f9fd2c0"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}