phpIPAM 1.4.4 - Stored XSS
Summary
| Name | phpIPAM 1.4.4 - Stored XSS |
| Code name | |
| Product | phpIPAM |
| Affected versions | 1.4.4 |
| Fixed Versions | 1.4.5 |
| State | Public |
| Release date | 2022-01-18 |
Vulnerability
| Kind | Stored cross-site scripting (XSS) |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
| CVSSv3.1 Base Score | 4.8 |
| Exploit available | No |
| CVE ID(s) |
Description
phpIPAM v1.4.4 allows an authenticated admin user to inject persistent javascript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS.
Proof of Concept
Steps to reproduce:
XSS:
- Go to
"http://192.168.1.5/phpipam/index.php?page=administration§ion=settings". - Update the "Site Title" parameter with
" autofocus onfocus=alert(1)>. - Click on 'Save'.
- If a user visits the settings page the javascript code will be rendered.
Open redirect:
- Go to
"http://192.168.1.5/phpipam/index.php?page=administration§ion=settings". - Update the "Site Title" parameter with
0;url=https://google.com" http-equiv="refresh". - Click on 'Save'.
- If a user reloads the page, they will be redirected to
https://google.com.
System Information
- Version: phpIPAM IP address management v1.4.4.
- Operating System: Linux.
- Web Server: Apache
- PHP Version: 7.4
- Database and version: Mysql
Exploit
There is no exploit for the vulnerability but can be manually exploited.
Mitigation
An updated version of phpIPAM is available at the vendor page.
Credits
The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.
References
Vendor page https://phpipam.net/
Patched version https://github.com/phpipam/phpipam/releases/tag/v1.4.5
Timeline
2022-01-06
Vulnerability discovered.
2022-01-07
Vendor contacted.
2022-01-07
Vendor replied acknowledging the report.
2022-01-17
Vulnerability patched.
2022-01-18
Public Disclosure.
