CVE-2024-10721

MEDIUM

Phpipam - XSS

Title source: rule

Description

A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the application, which can be executed in the context of other users who view the affected page. The issue occurs in the circuits options page (https://demo.phpipam.net/tools/circuits/options/). An attacker can exploit this vulnerability to steal cookies, gain unauthorized access to user accounts, or redirect users to malicious websites. The vulnerability has been fixed in version 1.7.0.

References (2)

Core 2

Core References

Patch

https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731

View Patch ZIP pw:eip

Exploit

https://huntr.com/bounties/a440a003-84c9-47b5-bfbd-675564abe3d8

Scores

CVSS v3 5.4

EPSS 0.0014

EPSS Percentile 34.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

phpipam/phpipam 1.5.2

Published Mar 20, 2025

Tracked Since Feb 18, 2026