CVE-2022-23046

EPSS 25.2%

PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL sentences in the "subnet" parameter while searching a subnet via app/admin/routing/edit-bgp-mapping-search.php

Affected products

n/a · PhpIPAM

public PoCs found — 6

githubgithub.com/dnr6419/CVE-2022-23046★ 4 githubgithub.com/bernauers/CVE-2022-23046★ 1 githubgithub.com/jcarabantes/CVE-2022-23046★ 1 githubgithub.com/hadrian3689/phpipam_1.4.4★ 0 cve_referencepacketstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.htmlunverified exploitdbwww.exploit-db.com/exploits/50684unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/165683/PHPIPAM-1.4.4-SQL-Injection.html https://fluidattacks.com/advisories/mercury/https://github.com/phpipam/phpipam/releases/tag/v1.4.5