phpIPAM 1.4.4 - Stored XSS
4.8
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
phpIPAM 1.4.4 - Stored XSS
Code name
State
Public
Release date
Jan 18, 2022
Affected product
phpIPAM
Affected version(s)
1.4.4
Fixed version(s)
1.4.5
Vulnerability name
Stored cross-site scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS v3.1 base score
4.8
Exploit available
No
CVE ID(s)
Description
phpIPAM v1.4.4 allows an authenticated admin user to inject persistent javascript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS.
Proof of Concept
Steps to reproduce:
XSS:
Go to
"http://192.168.1.5/phpipam/index.php?page=administration§ion=settings".Update the "Site Title" parameter with
" autofocus onfocus=alert(1)>.Click on 'Save'.
If a user visits the settings page the javascript code will be rendered.
Open redirect:
Go to
"http://192.168.1.5/phpipam/index.php?page=administration§ion=settings".Update the "Site Title" parameter with
0;url=https://google.com" http-equiv="refresh".Click on 'Save'.
If a user reloads the page, they will be redirected to
https://google.com.
System Information
Version: phpIPAM IP address management v1.4.4.
Operating System: Linux.
Web Server: Apache
PHP Version: 7.4
Database and version: Mysql
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
An updated version of phpIPAM is available at the vendor page.
References
Vendor page https://phpipam.net/
Patched version https://github.com/phpipam/phpipam/releases/tag/v1.4.5
Timeline
Vulnerability discovered
Jan 6, 2022
Vulnerability patched
Jan 17, 2022
Vendor contacted
Jan 7, 2022
Vendor replied
Jan 7, 2022
Public disclosure
Jan 18, 2022
