CVE-2024-10723

MEDIUM

phpipam < 1.7.0 - Stored Cross-Site Scripting via NAT Tool Destination Address Field

Title source: llm

Description

A stored cross-site scripting (XSS) vulnerability was discovered in phpipam/phpipam version 1.5.2. This vulnerability allows an attacker to inject malicious scripts into the destination address field of the NAT tool, which can be executed when a user interacts with the field. The impact of this vulnerability includes the potential theft of user cookies, unauthorized access to user accounts, and redirection to malicious websites. The issue has been fixed in version 1.7.0.

References (2)

Core 2

Core References

Patch

https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731

View Patch ZIP pw:eip

Exploit, Third Party Advisory

https://huntr.com/bounties/9af99057-e4f6-4d07-b3bb-3213b977801d

Scores

CVSS v3 5.4

EPSS 0.0032

EPSS Percentile 23.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

phpipam/phpipam < 1.7.0

Published Mar 20, 2025

Tracked Since Feb 18, 2026