CVE-2024-10719

Name of the Vulnerable Software and Affected Versions phpipam versions 1.5.2 through 1.6.x

Description A stored cross-site scripting (XSS) issue exists, specifically in the circuits options functionality. This allows an attacker to inject malicious scripts via the option parameter in the POST request to "/phpipam/app/admin/circuits/edit-options-submit.php". The injected script can be executed in the context of the user's browser, leading to potential cookie theft and end-user file disclosure.

Recommendations For versions prior to 1.7.0, update to version 1.7.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/phpipam/app/admin/circuits/edit-options-submit.php" endpoint until the issue is resolved. Avoid using the option parameter in the affected API endpoint until the issue is resolved.