A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts.
References
Link | Resource |
---|---|
https://github.com/phpipam/phpipam/commit/50e36b9e4fff5eaa51dc6e42bc684748da378002 | Patch |
https://huntr.com/bounties/3fdcf653-fe26-4592-94a1-98ce664618ec | Exploit Third Party Advisory |
Configurations
History
19 Nov 2024, 15:30
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/phpipam/phpipam/commit/50e36b9e4fff5eaa51dc6e42bc684748da378002 - Patch | |
References | () https://huntr.com/bounties/3fdcf653-fe26-4592-94a1-98ce664618ec - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:* | |
First Time |
Phpipam phpipam
Phpipam |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
15 Nov 2024, 13:58
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
15 Nov 2024, 11:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-11-15 11:15
Updated : 2024-11-19 15:30
NVD link : CVE-2022-1226
Mitre link : CVE-2022-1226
CVE.ORG link : CVE-2022-1226
JSON object : View
Products Affected
phpipam
- phpipam
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')