XSS vulnerability in phpipam affects import features
CVE-2022-1226

4.8MEDIUM

Key Information:

Vendor: PHPipam
Status: PHPipam/PHPipam
Vendor: CVE Published:; 15 November 2024

What is CVE-2022-1226?

A Cross-Site Scripting (XSS) issue exists in the phpipam web application affecting versions before 1.4.7. This vulnerability enables an attacker to upload specially crafted spreadsheet files, allowing the execution of arbitrary JavaScript code in the browsers of users. Key endpoints that are susceptible include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The exploitation of this vulnerability can lead to severe consequences, including alteration of website content, execution of harmful scripts, unauthorized access to sensitive user information such as cookies, and breach of user accounts.

Affected Version(s)

phpipam/phpipam < 1.4.7

References

https://huntr.com/bounties/3fdcf653-fe26-4592-94a1-98ce66...

https://github.com/phpipam/phpipam/commit/50e36b9e4fff5ea...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Apr 4, 2022

PHPipam

What is CVE-2022-1226?

Affected Version(s)

References

CVSS V3.1

Timeline