CVE-2023-1211

Name of the Vulnerable Software and Affected Versions phpipam versions prior to 1.5.2

Description The issue is related to a lack of protection against SQL query structure manipulation in the app/admin/custom-fields/edit-result.php script of the phpipam web application for IP address management. This is due to the handling of user fields with parameters such as fieldType=set and fieldSize='1'. The exploitation of this issue may allow a remote attacker to execute arbitrary SQL commands.

Recommendations For versions prior to 1.5.2, update to version 1.5.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the edit-result.php script in the app/admin/custom-fields directory until a patch is applied. Avoid using the fieldType and fieldSize parameters in the affected script until the issue is resolved.