phpIPAM is a popular open-source web IP address management application (IPAM). Its goal is to provide light, modern and useful IP address management. It is php-based application with MySQL database backend, using jQuery libraries, ajax and HTML5/CSS3 features.
A vulnerability in phpIPAM version 1.3.2 and earlier was found that contains a Cross Site Scripting (XSS) exploit in the subnet-scan-telnet.php that can result in executing code in victims browser.
This vulnerability is assigned CVE-2019-1000010 and was published on 02/04/2019. The attack can be launched remotely. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available.
Upgrading phpIPAM
This vulnerability is confirmed to have been fixed in version 1.4 and it is recommended that you upgrade to the latest version as soon as possible.
To upgrade phpIPAM to the latest version you can extract the new code and copy over the old config.php file.
[root@ipam /]# cd /var/www/phpipam[root@ipam /var/www/phpipam]# tar -xvf phpipam-1.3.2.tar[root@ipam /var/www/phpipam]# cp /backup/location/config.php /var/wwwIn case you use Git you can use the following steps to upgrade:
root@ipam /]# cd /var/www/phpipamroot@ipam /var/www/phpipam]# git pullroot@ipam /var/www/phpipam]# git checkout -b 1.3 origin/1.3root@ipam /var/www/phpipam]# git submodule update --init --recursiveWebsite: https://phpipam.net/