phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.Referenceshttps://github.com/phpipam/phpipam/issues/2738http://packetstormsecurity.com/files/154651/phpIPAM-1.4-SQL-Injection.html
