Vulnerabilities for Phpipam (...) - CXSECURITY.COM

Vulnerabilities for 'Phpipam'

2022-04-04

CVE-2022-1223

CWE-284

Improper Access Control in GitHub repository phpipam/phpipam prior to 1.4.6.

CVE-2022-1224

CWE-863

Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.

CVE-2022-1225

CWE-266

Incorrect Privilege Assignment in GitHub repository phpipam/phpipam prior to 1.4.6.

2022-03-25

CVE-2021-46426

CWE-79

phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality.

2022-01-19

CVE-2022-23045

CWE-79

PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS.

CVE-2022-23046

CWE-89

PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php

2021-06-23

CVE-2021-35438

CWE-79

phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator.

2020-05-20

CVE-2020-13225

CWE-79

phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget.

2020-03-04

CVE-2020-7988

CWE-352

An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change the password of any user/admin, to escalate privileges, and to gain access to more data and functionality. This issue exists due to the lack of a requirement to provide the old password, and the lack of security tokens.

2019-09-22

CVE-2019-16696

CWE-89

phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.

Copyright 2024, cxsecurity.com