CVE-2025-61078
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-12

Assigner: MITRE

Description
Cross-site scripting (XSS) vulnerability in Request IP form in phpIPAM v1.7.3 allows remote attackers to inject arbitrary web script or HTML via the instructions parameter for the /app/admin/instructions/edit-result.php endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61078
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpipam phpipam 1.7.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a cross-site scripting (XSS) issue in the Request IP form of phpIPAM version 1.7.3. It allows remote attackers to inject arbitrary web scripts or HTML code through the 'instructions' parameter in the /app/admin/instructions/edit-result.php endpoint.

Impact Analysis

An attacker exploiting this vulnerability could execute malicious scripts in the context of the affected web application, potentially leading to theft of user credentials, session hijacking, or other malicious actions performed on behalf of the user.

Compliance Impact

The vulnerability allows an attacker to inject malicious scripts that can potentially expose sensitive information such as user credentials. This exposure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure. [2]

Detection Guidance

This vulnerability can be detected by sending a POST request to the endpoint /app/admin/instructions/edit-result.php with a crafted payload in the instructions parameter that includes a form with a button triggering a JavaScript prompt. For example, you can use a command like: curl -X POST -d "instructions=<form><input hidden id='username' name='username'/><input hidden id='password' name='password' type='password'/><button formaction='javascript:javascript:prompt(\'XSS Present\')'>Click Here To Request IP</button></form>" http://<target-ip>/app/admin/instructions/edit-result.php Then, navigate to the Request IP page and click the "Click Here To Request IP" button. If a prompt displaying "XSS Present" appears, the vulnerability is present. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade phpIPAM to version 1.7.4 or later, as this version contains the fix for the vulnerability. The fix was committed on November 17, 2025, and version 1.7.4 was released on November 27, 2025. Until the upgrade can be performed, restrict access to the affected endpoint and ensure only trusted users have access to the Request IP form to reduce the risk of exploitation. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61078. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart