phpIPAM is a popular open-source web IP address management application (IPAM). Its goal is to provide light, modern and useful IP address management. It is php-based application with MySQL database backend, using jQuery libraries, ajax and HTML5/CSS3 features.
A vulnerability in phpIPAM version 1.3.2 and earlier was found that contains a Cross Site Scripting (XSS) exploit in the
subnet-scan-telnet.php that can result in executing code in victims browser.
This vulnerability is assigned CVE-2019-1000010 and was published on 02/04/2019. The attack can be launched remotely. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available.
This vulnerability is confirmed to have been fixed in version 1.4 and it is recommended that you upgrade to the latest version as soon as possible.
To upgrade phpIPAM to the latest version you can extract the new code and copy over the old
[root@ipam /]# cd /var/www/phpipam [root@ipam /var/www/phpipam]# tar -xvf phpipam-1.3.2.tar [root@ipam /var/www/phpipam]# cp /backup/location/config.php /var/www
In case you use Git you can use the following steps to upgrade:
root@ipam /]# cd /var/www/phpipam root@ipam /var/www/phpipam]# git pull root@ipam /var/www/phpipam]# git checkout -b 1.3 origin/1.3 root@ipam /var/www/phpipam]# git submodule update --init --recursive