FKIE_CVE-2024-10722

Vulnerability from fkie_nvd - Published: 2025-03-20 10:15 - Updated: 2025-05-28 20:35
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability allows attackers to inject malicious scripts into the 'Description' field of custom fields in the 'IP RELATED MANAGEMENT' section. This can lead to data theft, account compromise, distribution of malware, website defacement, content manipulation, and phishing attacks. The issue is fixed in version 1.7.0.
References
security@huntr.devhttps://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731Patch
security@huntr.devhttps://huntr.com/bounties/f0bc97b2-33a9-4b15-aa05-ff7c57624847Exploit, Third Party Advisory
Impacted products
Vendor Product Version
phpipam phpipam *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "896B6AA4-8068-41F4-ACD4-92893E5BB0AD",
              "versionEndExcluding": "1.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability allows attackers to inject malicious scripts into the \u0027Description\u0027 field of custom fields in the \u0027IP RELATED MANAGEMENT\u0027 section. This can lead to data theft, account compromise, distribution of malware, website defacement, content manipulation, and phishing attacks. The issue is fixed in version 1.7.0."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en phpipam/phpipam versi\u00f3n 1.5.2. Esta vulnerabilidad permite a los atacantes inyectar scripts maliciosos en el campo \"Descripci\u00f3n\" de los campos personalizados de la secci\u00f3n \"GESTI\u00d3N DE IP\". Esto puede provocar robo de datos, vulneraci\u00f3n de cuentas, distribuci\u00f3n de malware, desfiguraci\u00f3n de sitios web, manipulaci\u00f3n de contenido y ataques de phishing. El problema est\u00e1 corregido en la versi\u00f3n 1.7.0."
    }
  ],
  "id": "CVE-2024-10722",
  "lastModified": "2025-05-28T20:35:42.690",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 1.4,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-03-20T10:15:19.140",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/f0bc97b2-33a9-4b15-aa05-ff7c57624847"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.