CVE-2022-1226

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-1226

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-1226.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-1226

Published

2024-11-15T11:15:07.527Z

Modified

2025-11-14T12:45:32.752855Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts.

References

Affected packages

Git / github.com/phpipam/phpipam

Affected ranges

Type: GIT
Repo: https://github.com/phpipam/phpipam
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

50e36b9e4fff5eaa51dc6e42bc684748da378002

Affected versions

v1.*

v1.16.003

v1.19.008

v1.2.0

v1.2.0_beta2

v1.3.0

v1.3.2

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-1226.json"