CVE-2017-6481 Phpipam CVE debrief

Who should care

Administrators and maintainers of phpipam deployments, especially those running version 1.2 or earlier branches covered by the NVD CPE range. Security teams should also care if these admin pages are reachable by authenticated users and if browsers can access the affected interfaces.

Technical summary

NVD describes the issue as CWE-79 (Cross-Site Scripting) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerable input points identified in the record are the instructions parameter in app/admin/instructions/preview.php and subnetId in app/admin/powerDNS/refresh-ptr-records.php. Because the flaw is browser-executed script injection, successful exploitation depends on user interaction and can affect confidentiality and integrity within the vulnerable web origin.

Defensive priority

Medium

Recommended defensive actions

• Upgrade phpipam to a non-vulnerable release or apply the vendor fix referenced by the project issue tracker.
• Review app/admin/instructions/preview.php and app/admin/powerDNS/refresh-ptr-records.php for proper output encoding and input validation.
• Treat user-supplied values such as instructions and subnetId as untrusted and encode them before rendering in HTML contexts.
• Add or tighten server-side validation so that only expected formats and values are accepted.
• Audit administrator-facing workflows that render these fields and verify they do not reflect raw input into the browser.
• If feasible, deploy browser-side defense in depth such as a restrictive Content Security Policy to reduce script execution impact.

Evidence notes

This debrief is based on the NVD CVE record and its references. The record states that phpipam 1.2 is affected, identifies the vulnerable parameters and pages, and classifies the weakness as CWE-79 with CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue references include a SecurityFocus BID entry and a GitHub issue marked as Exploit and Vendor Advisory.

Official resources