CVE-2024-10720 Information

Description

A stored cross-site scripting (XSS) vulnerability exists in phpipam/phpipam version 1.5.2. The vulnerability occurs in the ‘Device Management’ section under ‘Administration’ where an attacker can inject malicious scripts into the ‘Name’ and ‘Description’ fields when adding a new device type. This can lead to data theft account compromise distribution of malware website defacement and phishing attacks. The issue is fixed in version 1.7.0.

Reference

https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731 https://huntr.com/bounties/75e06e05-7f69-4938-a83c-1dcc98922188