Stored Cross-Site Scripting in phpipam Affects Device Management
CVE-2024-10720
6.1MEDIUM
What is CVE-2024-10720?
A stored cross-site scripting (XSS) vulnerability exists in phpipam, specifically in the Device Management section under Administration. Attackers can exploit this flaw by injecting malicious scripts into the Name and Description fields while adding a new device type. Such an injection could lead to data theft, account compromise, the distribution of malware, website defacement, and phishing attacks. The vulnerability has been addressed in phpipam version 1.7.0.
Affected Version(s)
phpipam/phpipam < 1.7.0
References
CVSS V3.1
Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
CVSS V3.0
Score:
8.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved