D-3Lf

**Name of the Vulnerable Software and Affected Versions** phpipam versions 1.3.2 and earlier **Description** The issue concerns a Cross Site Scripting (XSS) vulnerability. It occurs because the value of the `phpipamredirect` cookie is copied into an HTML tag on the login page, encapsulated in single quotes. An attacker can exploit this by editing the cookie value to include malicious script, such as `r5zkh'><script>alert(1)</script>quqtl`, which can lead to arbitrary code execution in the victim's browser. This attack is exploitable when chained with another exploit that allows an attacker to set or modify a cookie for the phpIPAM instance's domain. **Recommendations** For phpipam versions 1.3.2 and earlier, as a temporary workaround, consider validating and sanitizing the `phpipamredirect` cookie value to prevent malicious script injection until a patch is available. Restrict access to the login page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.