Vulnerability Description
A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phpipam | Phpipam | < 1.4.7 |
Related Weaknesses (CWE)
References
- https://github.com/phpipam/phpipam/commit/50e36b9e4fff5eaa51dc6e42bc684748da3780Patch
- https://huntr.com/bounties/3fdcf653-fe26-4592-94a1-98ce664618ecExploitThird Party Advisory
FAQ
What is CVE-2022-1226?
CVE-2022-1226 is a vulnerability with a CVSS score of 4.8 (MEDIUM). A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the i...
How severe is CVE-2022-1226?
CVE-2022-1226 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-1226?
Check the references section above for vendor advisories and patch information. Affected products include: Phpipam Phpipam.