CVE-2022-23046

Name of the Vulnerable Software and Affected Versions PhpIPAM version 1.4.4

Description The issue is related to the lack of protection against SQL query structure manipulation when handling the subnet parameter in the app/admin/routing/edit-bgp-mapping-search.php component of the phpipam web application. This can allow a remote attacker to execute arbitrary SQL queries. The exploitation requires an authenticated admin user and involves injecting SQL sentences in the subnet parameter while searching a subnet.

Recommendations For PhpIPAM version 1.4.4, consider disabling the edit-bgp-mapping-search.php function until a patch is available to prevent SQL injection attacks. Restrict access to the subnet parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.