Vulnerability CVE-2020-7988: Information

Description

An issue was discovered in tools/pass-change/result.php in phpIPAM 1.4. CSRF can be used to change the password of any user/admin, to escalate privileges, and to gain access to more data and functionality. This issue exists due to the lack of a requirement to provide the old password, and the lack of security tokens.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-7988
Published: March 4, 2020
Modified: March 6, 2020
Error type identifier: CWE-352

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
phpipamsisyphus1.45.031-alt11.6.0-alt1ALT-PU-2022-1133-1294093Fixed
phpipamsisyphus_e2k1.45.031-alt11.6.0-alt1ALT-PU-2022-3817-1-Fixed
phpipamp101.45.031-alt11.5.2-alt1ALT-PU-2022-1163-1294094Fixed
phpipamp10_e2k1.45.031-alt11.5.2-alt1ALT-PU-2022-3887-1-Fixed
phpipamp91.45.031-alt11.45.031-alt1ALT-PU-2022-1188-1294095Fixed
phpipamp9_e2k1.45.031-alt11.45.031-alt1ALT-PU-2022-4727-1-Fixed
phpipamc10f11.45.031-alt11.46.031-alt1ALT-PU-2022-1163-1294094Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://pastebin.com/ZPECbgZb
  • Exploit
  • Third Party Advisory
https://phpipam.net/news/phpipam-v1-5-released/
  • Broken Link
  • Vendor Advisory

    1. Configuration 1

      cpe:2.3:a:phpipam:phpipam:1.4:*:*:*:*:*:*:*
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.0
Back to top