CVE-2024-10720

Name of the Vulnerable Software and Affected Versions phpipam/phpipam version 1.5.2 phpipam/phpipam versions prior to 1.7.0

Description A stored cross-site scripting (XSS) issue exists in the 'Device Management' section under 'Administration', where an attacker can inject malicious scripts into the Name and Description fields when adding a new device type. This can lead to data theft, account compromise, distribution of malware, website defacement, and phishing attacks.

Recommendations For version 1.5.2, update to version 1.7.0 to resolve the issue. For versions prior to 1.7.0, update to version 1.7.0 to resolve the issue. As a temporary workaround, consider restricting access to the 'Device Management' section under 'Administration' to minimize the risk of exploitation. Avoid using the Name and Description fields in the 'Device Management' section until the issue is resolved.