5.4

CVE-2024-10719

Exploit

Stored Cross-site Scripting (XSS) in phpipam/phpipam

A stored cross-site scripting (XSS) vulnerability exists in phpipam version 1.5.2, specifically in the circuits options functionality. This vulnerability allows an attacker to inject malicious scripts via the 'option' parameter in the POST request to /phpipam/app/admin/circuits/edit-options-submit.php. The injected script can be executed in the context of the user's browser, leading to potential cookie theft and end-user file disclosure. The issue is fixed in version 1.7.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PhpipamPhpipam Version < 1.7.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.31% 0.227
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security@huntr.dev 2.4 0.9 1.4
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://huntr.com/bounties/56aba8cb-4da1-44b4-8c4d-c5ba00ea3670
Third Party Advisory
Exploit
https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731
Patch