On the 2nd of September 2025 phpIPAM was notified regarding an XSS vulnerability which allows an authenticated attacker to craft an HTML form containing javascript pseudo protocol tags which is then shown in the Instructions area of the Request IP page of the application.
Versions up to and including v1.7.3 are potentially vulnerable, and a fix was released with version 1.7.4, as well as the upcoming v1.8 version.
If a user submits that particular form, the javascript code will be run, potentially leaking details about the victim, such as credentials used to log into the application.
Testing for the vulnerability can be done by adding the following code in the instructions parameter from the body of the POST request sent to the /app/admin/instructions/edit-result.php endpoint:
<form>
<input hidden="" id="username" name="username" />
<input hidden="" id="password" name="password" type="password" />
<button formaction="javascript:javascript:prompt('XSS Present')">
Click Here To Request IP
</button>
</form>
Then, if you navigate to the Request IP page and click on the button labeled ”Click Here To Request IP”, a prompt will be shown with the message “XSS Present”. Certain payloads can also be used to exfiltrate data such as usernames and passwords.
Timeline:
02 September 2025: Vendor notified
03 September 2025: CVE ID Request sent
17 November 2025: Fix commited to v1.7 and v1.8 branches
27 November 2025: Version 1.7.4 released
05 December 2025: Public disclosure
GLITCH ØNE 