CVE-2022-1226

Name of the Vulnerable Software and Affected Versions phpipam/phpipam versions prior to 1.4.7

Description A Cross-Site Scripting (XSS) vulnerability allows attackers to execute arbitrary JavaScript code in the browser of a victim. This issue affects the import Data set feature via a spreadsheet file upload. The affected endpoints include "import-vlan-preview.php", "import-subnets-preview.php", "import-vrf-preview.php", "import-ipaddr-preview.php", "import-devtype-preview.php", "import-devices-preview.php", and "import-l2dom-preview.php". The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts.

Recommendations For versions prior to 1.4.7, update to version 1.4.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the import Data set feature and the affected endpoints until a patch is applied. Avoid uploading spreadsheet files from untrusted sources to minimize the risk of exploitation.