Bug 27914 - phpipam new security issues CVE-2019-1000010 and CVE-2020-13225
Summary: phpipam new security issues CVE-2019-1000010 and CVE-2020-13225
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2020-12-23 12:33 CET by Zombie Ryushu
Modified: 2021-01-19 00:27 CET (History)
3 users (show)

See Also:
Source RPM: phpipam-1.1.010-5.mga8.src.rpm
CVE: CVE-2020-13225
Status comment:


Attachments

Description Zombie Ryushu 2020-12-23 12:33:48 CET
phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in subnet-scan-telnet.php that can result in executing code in victims browser. This attack appears to be exploitable via victim visits link crafted by an attacker. This vulnerability appears to have been fixed in 1.4.

phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within the Edit User Instructions field of the User Instructions widget.
Zombie Ryushu 2020-12-23 12:34:29 CET

CVE: (none) => CVE-2020-13225

Zombie Ryushu 2020-12-23 12:34:41 CET

Summary: phpipam security issue CVE-2019-1000010 => phpipam security issue CVE-2019-1000010 CVE-2020-13225

Comment 1 David Walser 2020-12-23 17:58:07 CET
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13225

Looks like this unmaintained package should be dropped.

Summary: phpipam security issue CVE-2019-1000010 CVE-2020-13225 => phpipam new security issues CVE-2019-1000010 and CVE-2020-13225
Whiteboard: (none) => MGA7TOO
Source RPM: phpipam-1.1.010-5.mga8.src => phpipam-1.1.010-5.mga8.src.rpm
Assignee: bugsquad => mageia
Version: 7 => Cauldron

Comment 2 Marc Krämer 2020-12-23 18:39:29 CET
latest version is 1.4 from 2019. In maintdb ennael is set as maintainer.
Comment 3 David Walser 2020-12-23 18:44:15 CET
Also imported by dlucio.  Neither have been active for years.
Comment 4 Marc Krämer 2020-12-23 18:45:53 CET
hmm, I'm ok with dropping.
Comment 5 Nicolas Lécureuil 2020-12-23 22:06:23 CET
ok so we fix for mga7 and drop for cauldron. Seems a good idea :-)

CC: (none) => mageia

Comment 6 Nicolas Lécureuil 2020-12-24 00:07:58 CET
new rpm pushed in mageia 7 ( new version 1.4.1 ) 

it contains even more security fixes amont:
    Security Fixes:
    ----------------------------
    + SQL injections processing `tableName` (#2738);
    + SQL injections processing `ftype` (#2751);
    + All circuits map, PHP object injection (#2937);


src:
 phpipam-1.4.1-1.mga7
Nicolas Lécureuil 2020-12-24 00:08:16 CET

Assignee: mageia => qa-bugs

Comment 7 David Walser 2020-12-24 00:41:32 CET
Advisory:
========================

Updated phpipam package fixes security vulnerabilities:

phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS)
vulnerability in subnet-scan-telnet.php that can result in executing code in
victims browser. This attack appears to be exploitable via victim visits link
crafted by an attacker (CVE-2019-1000010).

phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within
the Edit User Instructions field of the User Instructions widget
(CVE-2020-13225).

The phpipam package has been updated to version 1.4.1, which fixes these
issues, along with several other security issues and bugs.  See the release
announcements for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13225
https://github.com/phpipam/phpipam/releases
========================

Updated packages in core/updates_testing:
========================
phpipam-1.4.1-1.mga7

from phpipam-1.4.1-1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 8 Thomas Andrews 2021-01-18 22:58:50 CET
Installed phpipam and dependencies. Attempted to update using QA Repo and the package name in Comment 7, and I get this:

There was a problem during the installation:

file /usr/share/phpipam/functions/locale/de_DE from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/en from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/es_ES from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/fr_FR from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/nl_NL from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/pt_BR from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/sl_SI from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

I think it needs more work...

CC: (none) => andrewsfarm

Comment 9 David Walser 2021-01-19 00:02:02 CET
Sounds like a file type change that needs to be handled in a %pretrans scriplet.

Keywords: (none) => feedback

Comment 10 Dave Hodgins 2021-01-19 00:27:42 CET
It's changing the files from being directories to being symlinks to the newly
added UTF-8 versions of the files.

CC: (none) => davidwhodgins


Note You need to log in before you can comment on or make changes to this bug.