CVE-2024-10723
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in phpipam/phpipam version 1.5.2 allows attackers to inject malicious scripts into the NAT tool's destination address field. When users interact with this field, the scripts execute, potentially leading to cookie theft, account compromise, or redirection to malicious sites. Organizations running phpipam 1.5.2 or earlier versions are affected.
💻 Affected Systems
- phpipam/phpipam
📦 What is this software?
Phpipam by Phpipam
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to network infrastructure compromise, data exfiltration, or lateral movement within the network.
Likely Case
Session hijacking through cookie theft, unauthorized access to user accounts, or redirection to phishing sites.
If Mitigated
Limited impact with proper input validation and output encoding in place, potentially only affecting individual user sessions.
🎯 Exploit Status
Exploitation requires authenticated access to inject malicious scripts into the stored field. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0
Vendor Advisory: https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731
Restart Required: No
Instructions:
1. Backup your current phpipam installation and database. 2. Download phpipam version 1.7.0 or later from the official repository. 3. Replace the existing installation files with the new version. 4. Run any database migration scripts if required. 5. Verify the NAT tool functionality works correctly.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side input validation and output encoding for the NAT tool destination address field.
Modify application code to sanitize user input in the NAT module
Content Security Policy
allImplement a strict Content Security Policy to prevent script execution from untrusted sources.
Add 'Content-Security-Policy' header with appropriate directives
🧯 If You Can't Patch
- Disable or restrict access to the NAT tool functionality in phpipam
- Implement web application firewall (WAF) rules to block XSS payloads targeting the destination address field
🔍 How to Verify
Check if Vulnerable:
Check if your phpipam version is 1.5.2 or earlier and if the NAT tool is accessible.Check Version:
Check the version.php file or login page footer for version informationVerify Fix Applied:
After upgrading to version 1.7.0 or later, test the NAT tool's destination address field with XSS payloads to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to NAT tool endpoints with script tags or JavaScript payloads
- Multiple failed login attempts followed by NAT tool access
Network Indicators:
- HTTP requests containing script tags or JavaScript in destination address parameters
- Outbound connections to suspicious domains from phpipam server
SIEM Query:
source="phpipam" AND (uri="*nat*" AND (body="*<script>*" OR body="*javascript:*" OR body="*onload=*"))