CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1223 – Incorrect Authorization in phpipam/phpipam
https://notcve.org/view.php?id=CVE-2022-1223
04 Apr 2022 — Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6. Un Control de acceso Inapropiado en el repositorio de GitHub phpipam/phpipam versiones anteriores a 1.4.6 • https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1224 – Improper Authorization in phpipam/phpipam
https://notcve.org/view.php?id=CVE-2022-1224
04 Apr 2022 — Improper Authorization in GitHub repository phpipam/phpipam prior to 1.4.6. Una Autorización Inapropiada en el repositorio de GitHub phpipam/phpipam versiones anteriores a 1.4.6 • https://github.com/phpipam/phpipam/commit/f6a49fd9f93b7d7e0a4fbf1d35338502eed35953 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-46426 – PHPIPAM 1.4.4 Cross Site Request Forgery / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-46426
25 Mar 2022 — phpIPAM 1.4.4 allows Reflected XSS and CSRF via app/admin/subnets/find_free_section_subnets.php of the subnets functionality. phpIPAM versión 1.4.4 permite un ataque de tipo XSS reflejado y de tipo CSRF por medio de el archivo app/admin/subnets/find_free_section_subnets.php de la funcionalidad subnets PHPIPAM version 1.4.4 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://packetstorm.news/files/id/167227 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23045
https://notcve.org/view.php?id=CVE-2022-23045
19 Jan 2022 — PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS. PhpIPAM versión v1.4.4, permite a un usuario administrador autenticado inyectar código JavaScript persistente dentro del parámetro "Site title" mientras es actualizada la configuración del sitio. El parámetro "Site title" es inyectado en varias ubicaciones que desencadenan e... • https://fluidattacks.com/advisories/osbourne • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 51%CPEs: 1EXPL: 8CVE-2022-23046 – PHPIPAM 1.4.4 - SQLi (Authenticated)
https://notcve.org/view.php?id=CVE-2022-23046
19 Jan 2022 — PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php PhpIPAM versión v1.4.4, permite a un usuario administrador autenticado inyectar sentencias SQL en el parámetro "subnet" mientras busca una subred por medio del archivo app/admin/routing/edit-bgp-mapping-search.php PHPIPAM version 1.4.4 suffers from an authenticated remote SQL injection vulnerability. • https://packetstorm.news/files/id/165683 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-35438
https://notcve.org/view.php?id=CVE-2021-35438
23 Jun 2021 — phpIPAM 1.4.3 allows Reflected XSS via app/dashboard/widgets/ipcalc-result.php and app/tools/ip-calculator/result.php of the IP calculator. phpIPAM versión 1.4.3, permite un ataque de tipo XSS reflejado por medio de los archivos app/dashboard/widgets/ipcalc-result.php y app/tools/ip-calculator/result.php de la calculadora de IP • https://github.com/phpipam/phpipam/issues/3351 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-13225
https://notcve.org/view.php?id=CVE-2020-13225
20 May 2020 — phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget. phpIPAM versión 1.4, contiene una vulnerabilidad de tipo cross site scripting (XSS) almacenado en el campo Edit User Instructions del widget User Instructions. • https://github.com/phpipam/phpipam/issues/3025 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7988
https://notcve.org/view.php?id=CVE-2020-7988
04 Mar 2020 — An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change the password of any user/admin, to escalate privileges, and to gain access to more data and functionality. This issue exists due to the lack of a requirement to provide the old password, and the lack of security tokens. Se detectó un problema en el archivo tools/pass-change/result.php en phpIPAM versión 1.4., un ataque de tipo CSRF puede ser usado para cambiar la contraseña de cualquier usuario/administrador, ... • https://pastebin.com/ZPECbgZb • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 20%CPEs: 1EXPL: 4CVE-2019-16692 – phpIPAM 1.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-16692
22 Sep 2019 — phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used. phpIPAM versión 1.4, permite una inyección SQL por medio del parámetro table del archivo app/admin/custom-fields/filter-result.php cuando es usado action=add. phpIPAM version 1.4 suffers from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/154651 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16693
https://notcve.org/view.php?id=CVE-2019-16693
22 Sep 2019 — phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used. phpIPAM versión 1.4, permite una inyección SQL por medio del parámetro table del archivo app/admin/custom-fields/order.php cuando es usado action=add. • https://github.com/phpipam/phpipam/issues/2738 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •