cbcvebase.

Phpipam vulnerabilities

52 known vulnerabilities affecting phpipam/phpipam.

Total CVEs
52
CISA KEV
0
Public exploits
9
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH8MEDIUM36LOW1

Vulnerabilities

Page 1 of 3
CVE-2019-16692P2CRITICALCVSS 9.8PoC≤ 1.42019-09-22
CVE-2019-16692 [CRITICAL] CWE-89 CVE-2019-16692: phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter w phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
nvd
CVE-2019-16693P2CRITICALCVSS 9.8PoC≤ 1.42019-09-22
CVE-2019-16693 [CRITICAL] CWE-89 CVE-2019-16693: phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when acti phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.
nvd
CVE-2022-23046P3HIGHCVSS 7.2PoCv1.4.42022-01-19
CVE-2022-23046 [HIGH] CWE-89 CVE-2022-23046: PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php
nvd
CVE-2023-0678P3MEDIUMCVSS 5.3PoCfixed in 1.5.12023-02-04
CVE-2023-0678 [MEDIUM] CWE-862 CVE-2023-0678: Missing Authorization in GitHub repository phpipam/phpipam prior to v1.5.1. Missing Authorization in GitHub repository phpipam/phpipam prior to v1.5.1.
nvd
CVE-2023-1211P3HIGHCVSS 7.2PoCfixed in 1.5.22023-03-07
CVE-2023-1211 [HIGH] CWE-89 CVE-2023-1211: SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2. SQL Injection in GitHub repository phpipam/phpipam prior to v1.5.2.
nvd
CVE-2023-24657P3MEDIUMCVSS 6.1PoCv1.62023-03-08
CVE-2023-24657 [MEDIUM] CWE-79 CVE-2023-24657: phpipam v1.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the phpipam v1.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the closeClass parameter at /subnet-masks/popup.php.
nvd
CVE-2024-41358P3MEDIUMCVSS 6.1PoCv1.62024-08-29
CVE-2024-41358 [MEDIUM] CWE-79 CVE-2024-41358: phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\import-export\import-load-data phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via app\admin\import-export\import-load-data.php.
nvd
CVE-2024-41357P3HIGHCVSS 7.1PoCv1.62024-07-26
CVE-2024-41357 [HIGH] CWE-79 CVE-2024-41357: phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php. phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php.
nvd
CVE-2023-0676P3MEDIUMCVSS 6.1PoCfixed in 1.5.12023-02-04
CVE-2023-0676 [MEDIUM] CWE-79 CVE-2023-0676: Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1. Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1.
nvd
CVE-2019-16695P3CRITICALCVSS 9.8≤ 1.42019-09-22
CVE-2019-16695 [CRITICAL] CWE-89 CVE-2019-16695: phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when act phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
nvd
CVE-2019-16696P3CRITICALCVSS 9.8≤ 1.42019-09-22
CVE-2019-16696 [CRITICAL] CWE-89 CVE-2019-16696: phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when actio phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
nvd
CVE-2019-16694P3CRITICALCVSS 9.8≤ 1.42019-09-22
CVE-2019-16694 [CRITICAL] CWE-89 CVE-2019-16694: phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter whe phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit-result.php table parameter when action=add is used.
nvd
CVE-2018-1000869P3CRITICALCVSS 9.8v1.3.22018-12-20
CVE-2018-1000869 [CRITICAL] CWE-89 CVE-2018-1000869: phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. This attack appear to be exploitable via Rough user, exploiting the vulnerability to access information he/she does not have access to.. This vulnerability appears to have been fixed in 1.4.
nvd
CVE-2023-41580P3HIGHCVSS 7.5fixed in 1.5.22023-10-02
CVE-2023-41580 [HIGH] CWE-74 CVE-2023-41580: Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname paramet Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a crafted POST request.
nvd
CVE-2022-41443P3CRITICALCVSS 9.8v1.5.02022-10-03
CVE-2022-41443 [CRITICAL] CWE-116 CVE-2022-41443: phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/s phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
nvd
CVE-2020-7988P3HIGHCVSS 8.8v1.42020-03-04
CVE-2020-7988 [HIGH] CWE-352 CVE-2020-7988: An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change t An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change the password of any user/admin, to escalate privileges, and to gain access to more data and functionality. This issue exists due to the lack of a requirement to provide the old password, and the lack of security tokens.
nvd
CVE-2024-10718P3HIGHCVSS 7.5fixed in 1.7.02025-03-20
CVE-2024-10718 [HIGH] CWE-614 CVE-2024-10718: In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is no In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the user agent to send those cookies in plaintext over an HTTP session, potentially exposing sensitive information. The issue is fixed in version 1.7.0.
nvd
CVE-2022-1223P4MEDIUMCVSS 6.5fixed in 1.4.62022-04-04
CVE-2022-1223 [MEDIUM] CWE-863 CVE-2022-1223: Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6. Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.
nvd
CVE-2022-1225P4MEDIUMCVSS 6.5fixed in 1.4.62022-04-04
CVE-2022-1225 [MEDIUM] CWE-266 CVE-2022-1225: Incorrect Privilege Assignment in GitHub repository phpipam/phpipam prior to 1.4.6. Incorrect Privilege Assignment in GitHub repository phpipam/phpipam prior to 1.4.6.
nvd
CVE-2022-1224P4MEDIUMCVSS 6.5fixed in 1.4.62022-04-04
CVE-2022-1224 [MEDIUM] CWE-285 CVE-2022-1224: Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6. Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6.
nvd
Phpipam vulnerabilities | cvebase