CVE-2025-61078
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpipam | phpipam | 1.7.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue in the Request IP form of phpIPAM version 1.7.3. It allows remote attackers to inject arbitrary web scripts or HTML code through the 'instructions' parameter in the /app/admin/instructions/edit-result.php endpoint.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could execute malicious scripts in the context of the affected web application, potentially leading to theft of user credentials, session hijacking, or other malicious actions performed on behalf of the user.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to inject malicious scripts that can potentially expose sensitive information such as user credentials. This exposure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a POST request to the endpoint /app/admin/instructions/edit-result.php with a crafted payload in the instructions parameter that includes a form with a button triggering a JavaScript prompt. For example, you can use a command like: curl -X POST -d "instructions=<form><input hidden id='username' name='username'/><input hidden id='password' name='password' type='password'/><button formaction='javascript:javascript:prompt(\'XSS Present\')'>Click Here To Request IP</button></form>" http://<target-ip>/app/admin/instructions/edit-result.php Then, navigate to the Request IP page and click the "Click Here To Request IP" button. If a prompt displaying "XSS Present" appears, the vulnerability is present. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade phpIPAM to version 1.7.4 or later, as this version contains the fix for the vulnerability. The fix was committed on November 17, 2025, and version 1.7.4 was released on November 27, 2025. Until the upgrade can be performed, restrict access to the affected endpoint and ensure only trusted users have access to the Request IP form to reduce the risk of exploitation. [2]