CVE-2024-10725
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in phpipam version 1.5.2 allows attackers to inject malicious scripts into NAT destination address fields. These scripts execute when other users view the affected pages, potentially compromising their accounts or stealing data. All users running vulnerable versions of phpipam are affected.
💻 Affected Systems
- phpipam
📦 What is this software?
Phpipam by Phpipam
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of the phpipam instance, pivot to internal networks, and compromise other systems.
Likely Case
Attackers steal user credentials, modify network configurations, or redirect users to phishing sites.
If Mitigated
Script execution is blocked by browser security features or Content Security Policy, limiting impact to minor UI disruption.
🎯 Exploit Status
Exploit details are publicly available in the huntr.com bounty report. Attack requires authenticated access but minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.0
Vendor Advisory: https://github.com/phpipam/phpipam/commit/c1697bb6c4e4a6403d69c0868e1eb1040f98b731
Restart Required: No
Instructions:
1. Backup your phpipam database and configuration. 2. Download phpipam version 1.7.0 or later from the official repository. 3. Replace the existing installation files with the new version. 4. Verify the application functions correctly.
🔧 Temporary Workarounds
Input Sanitization
allManually sanitize NAT destination address inputs by adding HTML entity encoding in the application code.
Edit the relevant PHP files to apply htmlspecialchars() or similar sanitization to NAT destination fields
Content Security Policy
allImplement a strict Content Security Policy header to block inline script execution.
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Restrict user permissions to prevent low-privilege users from editing NAT destination addresses.
- Implement web application firewall (WAF) rules to block XSS payloads in NAT-related requests.
🔍 How to Verify
Check if Vulnerable:
Check if your phpipam version is 1.5.2 or earlier by viewing the version in the web interface or checking the source code.Check Version:
grep -r "define('VERSION'" /path/to/phpipam/ or check the web interface footerVerify Fix Applied:
After patching, attempt to inject a simple XSS payload (e.g., <script>alert('test')</script>) into a NAT destination address field and verify it's properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to NAT editing endpoints containing script tags or JavaScript code
- Multiple failed login attempts followed by NAT modifications
Network Indicators:
- Outbound connections to suspicious domains from phpipam server after users view NAT pages
SIEM Query:
source="phpipam" AND (uri="/app/admin/nat/edit.php" OR uri="/app/tools/nat/edit.php") AND (request_body LIKE "%<script>%" OR request_body LIKE "%javascript:%")