CVE-2022-3845 - Cross-Site Scripting Vulnerability in phpipam's Import Preview Handler Component

A recently discovered vulnerability, CVE-2022-3845, has been found in the open-source IP address management system, phpipam. This vulnerability is classified as problematic and can result in cross-site scripting (XSS) attacks. The affected functionality relates to the Import Preview Handler within the file app/admin/import-export/import-load-data.php of phpipam. Remote attackers can exploit this vulnerability, and it is strongly recommended to upgrade to version 1.5. in order to address this issue. The identifier VDB-212863 is associated with this vulnerability. The patch for this vulnerability has been named 22c797c3583001211fe7d31bccd3f1d4aeeb3bbc.

Vulnerability Details

Exploiting this vulnerability involves manipulating the Import Preview Handler in the import-load-data.php file. By doing so, an attacker can inject malicious scripts that might compromise the security of users visiting the targeted site.

Below is a snippet of the affected code in the import-load-data.php file

// vulnerability lies in this section
if($_POST['action'] == "showImport") {
	// validate the imported data
	foreach($csv as $item) {
        $preview[] = "<tr><td>".implode('</td><td>', $item)."</td></tr>";
	}
}

References

- Original advisory from the phpipam Github repository: https://github.com/phpipam/phpipam/commit/22c797c3583001211fe7d31bccd3f1d4aeeb3bbc
- Vulnerability database entry (VDB-212863): https://vuldb.com/?id.212863

Exploit Details

In order to exploit this vulnerability, an attacker would need to launch a successful XSS attack using crafted imports that take advantage of the affected functionality. This would involve manipulating the input preview data in a way that causes an injection of malicious scripts in the target application.

Mitigation and Patch Information

The recommended method to resolve this issue is to upgrade to phpipam version 1.5., which contains a patch named 22c797c3583001211fe7d31bccd3f1d4aeeb3bbc. This patch addresses the vulnerability in the Import Preview Handler component and prevents the potential risk of cross-site scripting attacks.

Conclusion

Due to the problematic nature of the CVE-2022-3845 vulnerability, it is highly recommended to upgrade the affected phpipam component to version 1.5.. Doing so will introduce the necessary patch, 22c797c3583001211fe7d31bccd3f1d4aeeb3bbc, which counters the potential risk of XSS attacks. Always stay up to date with security updates and ensure the systems and applications remain secure against vulnerabilities like this one.

Timeline

Published on: 11/02/2022 20:15:00 UTC
Last modified on: 11/04/2022 01:32:00 UTC