CVE-2024-10719

MEDIUM

phpipam < 1.7.0 - Stored Cross-Site Scripting via Circuits Option Parameter

Title source: llm

Description

A stored cross-site scripting (XSS) vulnerability exists in phpipam version 1.5.2, specifically in the circuits options functionality. This vulnerability allows an attacker to inject malicious scripts via the 'option' parameter in the POST request to /phpipam/app/admin/circuits/edit-options-submit.php. The injected script can be executed in the context of the user's browser, leading to potential cookie theft and end-user file disclosure. The issue is fixed in version 1.7.0.

References (2)

Core 2

Core References

Patch

https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731

View Patch ZIP pw:eip

Exploit, Third Party Advisory

https://huntr.com/bounties/56aba8cb-4da1-44b4-8c4d-c5ba00ea3670

Scores

CVSS v3 5.4

EPSS 0.0031

EPSS Percentile 22.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

phpipam/phpipam < 1.7.0

Published Mar 20, 2025

Tracked Since Feb 18, 2026