Primary

Context

phpipam Secure Cookie Vulnerability in HTTPS Sessions

Vulnerability

Patched

A vulnerability exists in phpipam version 1.5.1, where the Secure attribute for sensitive cookies is not set in HTTPS sessions. This oversight can lead to the user agent transmitting those cookies in plaintext over an HTTP connection, potentially exposing sensitive information. The issue has been addressed in phpipam version 1.7.0.

Impact

Without the Secure attribute, cookies can be sent unencrypted over HTTP, exposing them to interception and misuse.

Reproduction

To reproduce this vulnerability, log into a phpipam instance on version 1.5.1 using admin credentials. After logging in, open the browser's developer tools and navigate to the 'Storage' or 'Application' tab, then select 'Cookies'. Check the cookies for the phpipam site and observe that the 'Secure' attribute is set to 'false'.

Remediation

Upgrade phpipam to version 1.7.0 or later.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

8.0

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

8.0

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

phpipam Secure Cookie Vulnerability in HTTPS Sessions

Vulnerability

Impact

Reproduction

Remediation

Affected Products

phpipam/phpipam

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating