CVE-2019-16693 in phpipam
Summary
by MITRE
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/08/2025
The vulnerability CVE-2019-16693 represents a critical SQL injection flaw within phpIPAM version 1.4, specifically affecting the application's administrative custom fields functionality. This vulnerability exists in the table parameter of the app/admin/custom-fields/order.php endpoint when the action parameter is set to add. The flaw stems from insufficient input validation and sanitization of user-supplied data, allowing malicious actors to inject arbitrary SQL commands into the database query execution pipeline. The affected phpIPAM version demonstrates a classic improper input validation issue that violates fundamental security principles for database interactions.
The technical exploitation of this vulnerability occurs through the manipulation of the table parameter in the custom fields ordering functionality. When an attacker submits a crafted request with the action parameter set to add, the application fails to properly sanitize or escape the table parameter value before incorporating it into SQL queries. This creates an environment where malicious SQL payloads can be executed with the privileges of the database user account that phpIPAM utilizes. The vulnerability falls under CWE-89 which specifically addresses SQL injection flaws, and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation. The attack vector requires administrative access to the phpIPAM interface, making it particularly dangerous as it could enable privilege escalation or complete database compromise.
The operational impact of this vulnerability extends beyond simple data theft, as successful exploitation could result in full database compromise, unauthorized access to network infrastructure configurations, and potential lateral movement within the network. Attackers could extract sensitive information including network topology data, IP address assignments, subnet details, and potentially user credentials stored within the phpIPAM database. The vulnerability's presence in the administrative custom fields ordering functionality means that attackers could manipulate database schema elements, potentially creating backdoors or altering critical network management data. Organizations using phpIPAM for IP address management and network infrastructure tracking face significant risk, as this vulnerability could compromise the integrity of their network documentation and potentially expose their network architecture to unauthorized parties.
Mitigation strategies for CVE-2019-16693 should prioritize immediate patching of the phpIPAM application to version 1.4.2 or later, which includes the necessary input validation fixes. Organizations should implement proper input sanitization measures including parameterized queries and prepared statements to prevent similar issues in other applications. Network segmentation and access controls should be enforced to limit administrative access to phpIPAM, reducing the attack surface. Additionally, monitoring and logging of administrative activities should be enhanced to detect anomalous behavior in the custom fields ordering functionality. Security audits should verify that all phpIPAM components are updated to supported versions, and that proper input validation mechanisms are in place across all database interaction points. The vulnerability serves as a reminder of the importance of regular security updates and the critical need for proper input validation in web applications handling sensitive infrastructure data.