CVE-2022-1226

MEDIUM

phpipam < 1.4.7 - Stored Cross-Site Scripting via Spreadsheet File Upload in Import Data Feature

Title source: llm

Description

A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts.

References (2)

Core 2

Core References

Patch

https://github.com/phpipam/phpipam/commit/50e36b9e4fff5eaa51dc6e42bc684748da378002

View Patch ZIP pw:eip

Exploit, Third Party Advisory

https://huntr.com/bounties/3fdcf653-fe26-4592-94a1-98ce664618ec

Scores

CVSS v3 4.8

EPSS 0.0040

EPSS Percentile 31.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

phpipam/phpipam < 1.4.7

Published Nov 15, 2024

Tracked Since Feb 18, 2026