CVE-2022-1226 LOW

CVE-2022-1226: Cross-site Scripting (XSS) in phpipam/phpipam

Vendor Phpipam
Product phpipam/phpipam
Weakness CWE-79 · XSS
Published November 15, 2024
Last update November 15, 2024
View on NVD All CVEs

CVSS base score

3.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts.

Key dates

02Disclosure timeline

November 15, 2024 CVE published
November 15, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-56034 WordPress Services updates for customers plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-8714 WordPress Affiliates Plugin — SliceWP Affiliates <= 1.1.20 - Reflected Cross-Site Scripting CVE-2026-30913 flarum/nickname: Display name injection in notification emails (autolink & markdown) CVE-2023-51463 Adobe Experience Manager | Cross-site Scripting (Reflected XSS) (CWE-79) CVE-2024-8729 Easy Social Share Buttons <= 1.4.5 - Reflected Cross-Site Scripting