Vulnerabilites related to Combodo - iTop
CVE-2024-31448 (GCVE-0-2024-31448)
Vulnerability from cvelistv5
Published
2024-11-04 23:34
Modified
2024-11-05 16:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a simple, web based IT Service Management tool. By filling malicious code in a CSV content, an Cross-site Scripting (XSS) attack can be performed when importing this content. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. Users unable to upgrade should validate CSV content before importing it.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "3.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:28:22.368473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:28:45.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. By filling malicious code in a CSV content, an Cross-site Scripting (XSS) attack can be performed when importing this content. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. Users unable to upgrade should validate CSV content before importing it."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:34:19.435Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-776w-x6v7-vfwf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-776w-x6v7-vfwf"
}
],
"source": {
"advisory": "GHSA-776w-x6v7-vfwf",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability in link CSV import in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31448",
"datePublished": "2024-11-04T23:34:19.435Z",
"dateReserved": "2024-04-03T17:55:32.645Z",
"dateUpdated": "2024-11-05T16:28:45.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24026 (GCVE-0-2025-24026)
Vulnerability from cvelistv5
Published
2025-05-14 14:59
Modified
2025-05-14 15:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Summary
iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS) that may, under some circumstances, affect iTop server. Version 3.2.1 doesn't use the affected variable in the regular expression. As a workaround, if iTop app_root_url is defined in the configuration file, then there is no possible way to exploit this ReDoS.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T15:10:48.040848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T15:10:59.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS) that may, under some circumstances, affect iTop server. Version 3.2.1 doesn\u0027t use the affected variable in the regular expression. As a workaround, if iTop app_root_url is defined in the configuration file, then there is no possible way to exploit this ReDoS."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T14:59:47.581Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9g7f-jmc3-rrmf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9g7f-jmc3-rrmf"
}
],
"source": {
"advisory": "GHSA-9g7f-jmc3-rrmf",
"discovery": "UNKNOWN"
},
"title": "iTop Inefficient Regular Expression Complexity vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24026",
"datePublished": "2025-05-14T14:59:47.581Z",
"dateReserved": "2025-01-16T17:31:06.460Z",
"dateUpdated": "2025-05-14T15:10:59.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34447 (GCVE-0-2023-34447)
Vulnerability from cvelistv5
Published
2023-10-25 15:35
Modified
2024-09-11 20:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, on `pages/UI.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:07.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-6rfm-2rwg-mj7p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-6rfm-2rwg-mj7p"
},
{
"name": "https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33"
},
{
"name": "https://github.com/Combodo/iTop/commit/b8f61362f570e1ef8127175331012b7fc8aba802",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/b8f61362f570e1ef8127175331012b7fc8aba802"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T20:36:43.055666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T20:36:52.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, on `pages/UI.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T15:35:24.730Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-6rfm-2rwg-mj7p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-6rfm-2rwg-mj7p"
},
{
"name": "https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33"
},
{
"name": "https://github.com/Combodo/iTop/commit/b8f61362f570e1ef8127175331012b7fc8aba802",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/b8f61362f570e1ef8127175331012b7fc8aba802"
}
],
"source": {
"advisory": "GHSA-6rfm-2rwg-mj7p",
"discovery": "UNKNOWN"
},
"title": "iTop XSS vulnerability on pages/UI.php "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34447",
"datePublished": "2023-10-25T15:35:24.730Z",
"dateReserved": "2023-06-06T16:16:53.558Z",
"dateUpdated": "2024-09-11T20:36:52.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52001 (GCVE-0-2024-52001)
Vulnerability from cvelistv5
Published
2024-11-08 22:18
Modified
2024-11-12 15:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users are able to access forbidden services information. This issue has been addressed in version 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:19:19.544890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:22:35.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users are able to access forbidden services information. This issue has been addressed in version 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T22:18:17.828Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9p26-v3wj-6q34",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9p26-v3wj-6q34"
}
],
"source": {
"advisory": "GHSA-9p26-v3wj-6q34",
"discovery": "UNKNOWN"
},
"title": "Portal user is able to access forbidden services information in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52001",
"datePublished": "2024-11-08T22:18:17.828Z",
"dateReserved": "2024-11-04T17:46:16.778Z",
"dateUpdated": "2024-11-12T15:22:35.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47773 (GCVE-0-2025-47773)
Vulnerability from cvelistv5
Published
2025-11-10 19:13
Modified
2025-11-10 19:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is edited via an AJAX call. Versions 2.7.13 and 3.2.2 protect rendered HTML content.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T19:36:03.356830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T19:37:10.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.13"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is edited via an AJAX call. Versions 2.7.13 and 3.2.2 protect rendered HTML content."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T19:13:09.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9qmf-5457-9xp3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9qmf-5457-9xp3"
}
],
"source": {
"advisory": "GHSA-9qmf-5457-9xp3",
"discovery": "UNKNOWN"
},
"title": "Combodo iTop has XSS vulnerability in /pages/ajax.render.php"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47773",
"datePublished": "2025-11-10T19:13:09.254Z",
"dateReserved": "2025-05-09T19:49:35.619Z",
"dateUpdated": "2025-11-10T19:37:10.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-41161 (GCVE-0-2021-41161)
Vulnerability from cvelistv5
Published
2022-04-21 16:35
Modified
2025-04-23 18:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-41161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:53:55.338298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:33:19.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.0-beta6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don\u0027t properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-21T16:35:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22"
}
],
"source": {
"advisory": "GHSA-788f-g6g9-f8fc",
"discovery": "UNKNOWN"
},
"title": "XSS in csvimport in 3.0.0-beta versions",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41161",
"STATE": "PUBLIC",
"TITLE": "XSS in csvimport in 3.0.0-beta versions"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 3.0.0-beta6"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don\u0027t properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc"
},
{
"name": "https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22"
}
]
},
"source": {
"advisory": "GHSA-788f-g6g9-f8fc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41161",
"datePublished": "2022-04-21T16:35:10.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:33:19.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24780 (GCVE-0-2022-24780)
Vulnerability from cvelistv5
Published
2022-04-05 18:30
Modified
2025-04-22 18:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://markus-krell.de/itop-template-injection-inside-customer-portal/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24780",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:44:01.928700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:17:20.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-23T15:06:07.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://markus-krell.de/itop-template-injection-inside-customer-portal/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html"
}
],
"source": {
"advisory": "GHSA-v97m-wgxq-rh54",
"discovery": "UNKNOWN"
},
"title": "Code Injection in Combodo iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24780",
"STATE": "PUBLIC",
"TITLE": "Code Injection in Combodo iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.6"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54"
},
{
"name": "https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3"
},
{
"name": "https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b"
},
{
"name": "https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305"
},
{
"name": "https://markus-krell.de/itop-template-injection-inside-customer-portal/",
"refsource": "MISC",
"url": "https://markus-krell.de/itop-template-injection-inside-customer-portal/"
},
{
"name": "http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html"
}
]
},
"source": {
"advisory": "GHSA-v97m-wgxq-rh54",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24780",
"datePublished": "2022-04-05T18:30:18.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:17:20.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-4079 (GCVE-0-2020-4079)
Vulnerability from cvelistv5
Published
2021-01-12 19:20
Modified
2024-08-04 07:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Information Exposure
Summary
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the "excel export" portal functionality is called directly it allows getting data without scope filtering. This allows a user to access data they which they should not have access to. This is fixed in versions 2.7.2 and 3.0.0.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.880Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vcv9-xp3j-7jwh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the \"excel export\" portal functionality is called directly it allows getting data without scope filtering. This allows a user to access data they which they should not have access to. This is fixed in versions 2.7.2 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-12T19:20:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vcv9-xp3j-7jwh"
}
],
"source": {
"advisory": "GHSA-vcv9-xp3j-7jwh",
"discovery": "UNKNOWN"
},
"title": "Information disclosure vulnerability in iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-4079",
"STATE": "PUBLIC",
"TITLE": "Information disclosure vulnerability in iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the \"excel export\" portal functionality is called directly it allows getting data without scope filtering. This allows a user to access data they which they should not have access to. This is fixed in versions 2.7.2 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-vcv9-xp3j-7jwh",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vcv9-xp3j-7jwh"
}
]
},
"source": {
"advisory": "GHSA-vcv9-xp3j-7jwh",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-4079",
"datePublished": "2021-01-12T19:20:14",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-08-04T07:52:20.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34444 (GCVE-0-2023-34444)
Vulnerability from cvelistv5
Published
2024-11-04 23:30
Modified
2024-11-05 16:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.searchform.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:30:36.580534Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:31:24.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.9"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.searchform.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:30:21.686Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-rwx9-rcxf-qrwv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-rwx9-rcxf-qrwv"
}
],
"source": {
"advisory": "GHSA-rwx9-rcxf-qrwv",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability on pages/ajax.searchform.php in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34444",
"datePublished": "2024-11-04T23:30:21.686Z",
"dateReserved": "2023-06-06T16:16:53.557Z",
"dateUpdated": "2024-11-05T16:31:24.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45808 (GCVE-0-2023-45808)
Vulnerability from cvelistv5
Published
2024-04-15 17:28
Modified
2024-08-02 20:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
iTop is an IT service management platform. When creating or updating an object, extkey values aren't checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45808",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T18:04:10.401346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:19:57.785Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh"
},
{
"name": "https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7"
},
{
"name": "https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.10"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. When creating or updating an object, extkey values aren\u0027t checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:28:41.058Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh"
},
{
"name": "https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7"
},
{
"name": "https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385"
}
],
"source": {
"advisory": "GHSA-245j-66p9-pwmh",
"discovery": "UNKNOWN"
},
"title": "iTop missing silo check on extkey in console and portal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45808",
"datePublished": "2024-04-15T17:28:41.058Z",
"dateReserved": "2023-10-13T12:00:50.436Z",
"dateUpdated": "2024-08-02T20:29:32.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47622 (GCVE-0-2023-47622)
Vulnerability from cvelistv5
Published
2024-04-15 17:34
Modified
2024-08-02 21:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
iTop is an IT service management platform. When dashlet are refreshed, XSS attacks are possible. This vulnerability is fixed in 3.0.4 and 3.1.1.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-15T21:12:54.999854Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:26:35.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:42.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh"
},
{
"name": "https://github.com/Combodo/iTop/commit/09be84f69da0fe44221f63b8c2db041bdf7dd7f9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/09be84f69da0fe44221f63b8c2db041bdf7dd7f9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. When dashlet are refreshed, XSS attacks are possible. This vulnerability is fixed in 3.0.4 and 3.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:34:01.226Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh"
},
{
"name": "https://github.com/Combodo/iTop/commit/09be84f69da0fe44221f63b8c2db041bdf7dd7f9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/09be84f69da0fe44221f63b8c2db041bdf7dd7f9"
}
],
"source": {
"advisory": "GHSA-q9cm-q7fc-frxh",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to XSS vulnerability in dashlet refresh"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47622",
"datePublished": "2024-04-15T17:34:01.226Z",
"dateReserved": "2023-11-07T16:57:49.243Z",
"dateUpdated": "2024-08-02T21:16:42.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48709 (GCVE-0-2023-48709)
Vulnerability from cvelistv5
Published
2024-04-15 17:43
Modified
2024-08-02 21:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"status": "affected",
"version": "2.7.8"
},
{
"status": "affected",
"version": "3.0.3"
},
{
"status": "affected",
"version": "3.1.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48709",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T20:03:47.109888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T20:05:33.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:37:54.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9"
},
{
"name": "https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a"
},
{
"name": "https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.9"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users\u0027 inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:43:05.871Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9"
},
{
"name": "https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a"
},
{
"name": "https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c"
}
],
"source": {
"advisory": "GHSA-9q3x-9987-53x9",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to potential formula injection in Excel/CSV export file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48709",
"datePublished": "2024-04-15T17:43:05.871Z",
"dateReserved": "2023-11-17T19:43:37.555Z",
"dateUpdated": "2024-08-02T21:37:54.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32870 (GCVE-0-2024-32870)
Vulnerability from cvelistv5
Published
2024-11-04 23:36
Modified
2024-11-05 16:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Combodo iTop is a simple, web based IT Service Management tool. Server, OS, DBMS, PHP, and iTop info (name, version and parameters) can be read by anyone having access to iTop URI. This issue has been patched in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.11",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.5",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.2",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:25:00.433322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:26:44.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.11"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.5"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. Server, OS, DBMS, PHP, and iTop info (name, version and parameters) can be read by anyone having access to iTop URI. This issue has been patched in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:36:46.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-rfjh-2f5x-qxmx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-rfjh-2f5x-qxmx"
}
],
"source": {
"advisory": "GHSA-rfjh-2f5x-qxmx",
"discovery": "UNKNOWN"
},
"title": "iTop hub connector Information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32870",
"datePublished": "2024-11-04T23:36:46.265Z",
"dateReserved": "2024-04-19T14:07:11.229Z",
"dateUpdated": "2024-11-05T16:26:44.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51739 (GCVE-0-2024-51739)
Vulnerability from cvelistv5
Published
2024-11-05 18:11
Modified
2024-11-05 18:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This fix is included in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. Users unable to upgrade may overload the dictionary entry `"UI:ResetPwd-Error-WrongLogin"` through an extension and replace it with a generic message.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.11",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.5",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.1.2",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51739",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T18:44:44.280050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:50:23.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.11"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.5"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This fix is included in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. Users unable to upgrade may overload the dictionary entry `\"UI:ResetPwd-Error-WrongLogin\"` through an extension and replace it with a generic message."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:11:37.244Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-2hmf-p27w-phf9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-2hmf-p27w-phf9"
}
],
"source": {
"advisory": "GHSA-2hmf-p27w-phf9",
"discovery": "UNKNOWN"
},
"title": "Users enumeration allowed through Rest API in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51739",
"datePublished": "2024-11-05T18:11:37.244Z",
"dateReserved": "2024-10-31T14:12:45.789Z",
"dateUpdated": "2024-11-05T18:50:23.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52002 (GCVE-0-2024-52002)
Vulnerability from cvelistv5
Published
2024-11-08 22:16
Modified
2024-11-12 15:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:23:11.845832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:23:26.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T22:16:35.543Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm"
}
],
"source": {
"advisory": "GHSA-xr4x-xq7v-7gqm",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery (CSRF) in several iTop pages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52002",
"datePublished": "2024-11-08T22:16:35.543Z",
"dateReserved": "2024-11-04T17:46:16.778Z",
"dateUpdated": "2024-11-12T15:23:26.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24969 (GCVE-0-2025-24969)
Vulnerability from cvelistv5
Published
2025-05-14 15:11
Modified
2025-05-14 15:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24969",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T15:45:46.450095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T15:45:51.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T15:11:59.541Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-52p7-7f8f-j7pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-52p7-7f8f-j7pc"
}
],
"source": {
"advisory": "GHSA-52p7-7f8f-j7pc",
"discovery": "UNKNOWN"
},
"title": "iTop portal user can see any other contact\u0027s picture"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24969",
"datePublished": "2025-05-14T15:11:45.247Z",
"dateReserved": "2025-01-29T15:18:03.209Z",
"dateUpdated": "2025-05-14T15:45:51.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47932 (GCVE-0-2025-47932)
Vulnerability from cvelistv5
Published
2025-11-10 19:20
Modified
2025-11-10 19:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47932",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T19:34:08.152133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T19:34:40.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.13"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T19:20:24.114Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-rmxq-fx69-7wg5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-rmxq-fx69-7wg5"
}
],
"source": {
"advisory": "GHSA-rmxq-fx69-7wg5",
"discovery": "UNKNOWN"
},
"title": "Combodo iTop vulnerable to reflected XSS in ajax.render.php render_dashboard"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47932",
"datePublished": "2025-11-10T19:20:24.114Z",
"dateReserved": "2025-05-14T10:32:43.529Z",
"dateUpdated": "2025-11-10T19:34:40.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-15219 (GCVE-0-2020-15219)
Vulnerability from cvelistv5
Published
2021-01-13 16:55
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-209 - Information Exposure Through an Error Message
Summary
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, when a download error is triggered in the user portal, an SQL query is displayed to the user. This is fixed in versions 2.7.2 and 3.0.0.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q5cf-46rg-frf8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, when a download error is triggered in the user portal, an SQL query is displayed to the user. This is fixed in versions 2.7.2 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Information Exposure Through an Error Message",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-13T16:55:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q5cf-46rg-frf8"
}
],
"source": {
"advisory": "GHSA-q5cf-46rg-frf8",
"discovery": "UNKNOWN"
},
"title": "SQL query displayed on portal error",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15219",
"STATE": "PUBLIC",
"TITLE": "SQL query displayed on portal error"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, when a download error is triggered in the user portal, an SQL query is displayed to the user. This is fixed in versions 2.7.2 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-209 Information Exposure Through an Error Message"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-q5cf-46rg-frf8",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q5cf-46rg-frf8"
}
]
},
"source": {
"advisory": "GHSA-q5cf-46rg-frf8",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15219",
"datePublished": "2021-01-13T16:55:17",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32776 (GCVE-0-2021-32776)
Vulnerability from cvelistv5
Published
2021-07-21 20:25
Modified
2024-08-03 23:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-cxw7-2x7h-f7pr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T20:25:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-cxw7-2x7h-f7pr"
}
],
"source": {
"advisory": "GHSA-cxw7-2x7h-f7pr",
"discovery": "UNKNOWN"
},
"title": "No CSRF form token cleanup on Windows servers",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32776",
"STATE": "PUBLIC",
"TITLE": "No CSRF form token cleanup on Windows servers"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.4"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-cxw7-2x7h-f7pr",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-cxw7-2x7h-f7pr"
}
]
},
"source": {
"advisory": "GHSA-cxw7-2x7h-f7pr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32776",
"datePublished": "2021-07-21T20:25:09",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24811 (GCVE-0-2022-24811)
Vulnerability from cvelistv5
Published
2022-04-05 18:35
Modified
2025-04-22 18:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1625056478879-Combodo/iTop/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24811",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:49:02.499634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:17:11.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-05T18:35:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://huntr.dev/bounties/1625056478879-Combodo/iTop/"
}
],
"source": {
"advisory": "GHSA-67x5-mqg4-rvgc",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in Combodo iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24811",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting in Combodo iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.6"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc"
},
{
"name": "https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4"
},
{
"name": "https://huntr.dev/bounties/1625056478879-Combodo/iTop/",
"refsource": "MISC",
"url": "https://huntr.dev/bounties/1625056478879-Combodo/iTop/"
}
]
},
"source": {
"advisory": "GHSA-67x5-mqg4-rvgc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24811",
"datePublished": "2022-04-05T18:35:11.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:17:11.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15220 (GCVE-0-2020-15220)
Vulnerability from cvelistv5
Published
2021-01-13 17:05
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-613 - Insufficient Session Expiration
Summary
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qw4q-cmcv-7vv2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-13T17:05:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qw4q-cmcv-7vv2"
}
],
"source": {
"advisory": "GHSA-qw4q-cmcv-7vv2",
"discovery": "UNKNOWN"
},
"title": "Session fixation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15220",
"STATE": "PUBLIC",
"TITLE": "Session fixation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-qw4q-cmcv-7vv2",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qw4q-cmcv-7vv2"
}
]
},
"source": {
"advisory": "GHSA-qw4q-cmcv-7vv2",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15220",
"datePublished": "2021-01-13T17:05:17",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32663 (GCVE-0-2021-32663)
Vulnerability from cvelistv5
Published
2021-10-19 17:40
Modified
2024-08-03 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.5"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-19T17:40:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec"
}
],
"source": {
"advisory": "GHSA-ghqc-r8f6-q9m9",
"discovery": "UNKNOWN"
},
"title": "Unauthorized setup leads to SSRF in Combodo/iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32663",
"STATE": "PUBLIC",
"TITLE": "Unauthorized setup leads to SSRF in Combodo/iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.6.5"
},
{
"version_value": "\u003e= 2.7.0, \u003c 2.7.5"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918: Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9"
},
{
"name": "https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807"
},
{
"name": "https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec"
}
]
},
"source": {
"advisory": "GHSA-ghqc-r8f6-q9m9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32663",
"datePublished": "2021-10-19T17:40:11",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54139 (GCVE-0-2024-54139)
Vulnerability from cvelistv5
Published
2024-12-13 15:59
Modified
2024-12-13 17:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a cross-site scripting vulnerability that can lead to cross-site request forgery on the `_table_id` parameter. Versions 2.7.11, 3.1.2, and 3.2.0 contain a patch for the issue.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54139",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T17:33:51.255770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T17:34:07.288Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.11"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha, \u003c 3.1.2"
},
{
"status": "affected",
"version": "\u003e= 3.2.0-alpha1, \u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a cross-site scripting vulnerability that can lead to cross-site request forgery on the `_table_id` parameter. Versions 2.7.11, 3.1.2, and 3.2.0 contain a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T15:59:24.978Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-jmv2-wfh5-h5wg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-jmv2-wfh5-h5wg"
}
],
"source": {
"advisory": "GHSA-jmv2-wfh5-h5wg",
"discovery": "UNKNOWN"
},
"title": "Combodo iTop vulnerable to XSS leading to CSRF breach on _table_id parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-54139",
"datePublished": "2024-12-13T15:59:24.978Z",
"dateReserved": "2024-11-29T18:02:16.755Z",
"dateUpdated": "2024-12-13T17:34:07.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21406 (GCVE-0-2021-21406)
Vulnerability from cvelistv5
Published
2021-07-21 15:05
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Summary
Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:16.146Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T15:05:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x"
}
],
"source": {
"advisory": "GHSA-pf95-6h7q-q85x",
"discovery": "UNKNOWN"
},
"title": "Command Injection vulnerability in the Setup Wizard",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21406",
"STATE": "PUBLIC",
"TITLE": "Command Injection vulnerability in the Setup Wizard"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.4"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x"
}
]
},
"source": {
"advisory": "GHSA-pf95-6h7q-q85x",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21406",
"datePublished": "2021-07-21T15:05:10",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:16.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52000 (GCVE-0-2024-52000)
Vulnerability from cvelistv5
Published
2024-11-08 22:20
Modified
2024-11-12 15:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52000",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:58:58.399828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:59:23.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request\u0027s payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T22:20:02.422Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg"
}
],
"source": {
"advisory": "GHSA-r58g-p5r9-8hfg",
"discovery": "UNKNOWN"
},
"title": "Reflected Cross-site Scripting exploit in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52000",
"datePublished": "2024-11-08T22:20:02.422Z",
"dateReserved": "2024-11-04T17:46:16.778Z",
"dateUpdated": "2024-11-12T15:59:23.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12777 (GCVE-0-2020-12777)
Vulnerability from cvelistv5
Published
2020-08-10 02:45
Modified
2024-09-17 03:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Broken Access Control
Summary
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.895Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3833-46ae7-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"lessThanOrEqual": "2.7.0-beta2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T16:16:58",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3833-46ae7-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Combodo iTop - Broken Access Control",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-10T03:00:00.000Z",
"ID": "CVE-2020-12777",
"STATE": "PUBLIC",
"TITLE": "Combodo iTop - Broken Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "2.7.0-beta2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3833-46ae7-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3833-46ae7-1.html"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-12777",
"datePublished": "2020-08-10T02:45:38.090892Z",
"dateReserved": "2020-05-11T00:00:00",
"dateUpdated": "2024-09-17T03:22:24.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34446 (GCVE-0-2023-34446)
Vulnerability from cvelistv5
Published
2023-10-25 15:35
Modified
2024-09-10 20:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, when displaying `pages/preferences.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:07.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-q4pp-j46r-gm68",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q4pp-j46r-gm68"
},
{
"name": "https://github.com/Combodo/iTop/commit/e3ba826e5dfd3b724f1ee97bebfd20ded3c70b10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/e3ba826e5dfd3b724f1ee97bebfd20ded3c70b10"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "3.0.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T20:40:03.773519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T20:42:19.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, when displaying `pages/preferences.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T15:35:21.187Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-q4pp-j46r-gm68",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q4pp-j46r-gm68"
},
{
"name": "https://github.com/Combodo/iTop/commit/e3ba826e5dfd3b724f1ee97bebfd20ded3c70b10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/e3ba826e5dfd3b724f1ee97bebfd20ded3c70b10"
}
],
"source": {
"advisory": "GHSA-q4pp-j46r-gm68",
"discovery": "UNKNOWN"
},
"title": "iTop XSS vulnerability on pages/preferences.php "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34446",
"datePublished": "2023-10-25T15:35:21.187Z",
"dateReserved": "2023-06-06T16:16:53.557Z",
"dateUpdated": "2024-09-10T20:42:19.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52601 (GCVE-0-2024-52601)
Vulnerability from cvelistv5
Published
2025-05-14 14:39
Modified
2025-05-14 14:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they're not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T14:49:28.654274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T14:49:38.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.12"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.1.3"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they\u0027re not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T14:39:15.120Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-cph2-466c-3f87",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-cph2-466c-3f87"
}
],
"source": {
"advisory": "GHSA-cph2-466c-3f87",
"discovery": "UNKNOWN"
},
"title": "iTop portal Insecure Direct Object Reference vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52601",
"datePublished": "2025-05-14T14:39:15.120Z",
"dateReserved": "2024-11-14T15:05:46.770Z",
"dateUpdated": "2025-05-14T14:49:38.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48055 (GCVE-0-2025-48055)
Vulnerability from cvelistv5
Published
2025-11-10 20:33
Modified
2025-11-10 20:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user portal, a cross-site scripting attack can occur. This is fixed in versions 3.2.2 and 3.3.0.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T20:44:54.414276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T20:45:35.253Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user portal, a cross-site scripting attack can occur. This is fixed in versions 3.2.2 and 3.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T20:33:48.310Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-684h-f39j-5gq8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-684h-f39j-5gq8"
}
],
"source": {
"advisory": "GHSA-684h-f39j-5gq8",
"discovery": "UNKNOWN"
},
"title": "Combodo iTop has stored XSS in user portal\u0027s browse brick"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48055",
"datePublished": "2025-11-10T20:33:48.310Z",
"dateReserved": "2025-05-15T16:06:40.940Z",
"dateUpdated": "2025-11-10T20:45:35.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48065 (GCVE-0-2025-48065)
Vulnerability from cvelistv5
Published
2025-11-10 20:35
Modified
2025-11-10 20:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48065",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T20:57:54.636089Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T20:58:59.754Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.13"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T20:35:34.054Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-292c-hgcf-2g22",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-292c-hgcf-2g22"
}
],
"source": {
"advisory": "GHSA-292c-hgcf-2g22",
"discovery": "UNKNOWN"
},
"title": "Combodo iTop vulnerable to reflected XSS via objection edition form error"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48065",
"datePublished": "2025-11-10T20:35:34.054Z",
"dateReserved": "2025-05-15T16:06:40.941Z",
"dateUpdated": "2025-11-10T20:58:59.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24022 (GCVE-0-2025-24022)
Vulnerability from cvelistv5
Published
2025-05-14 14:57
Modified
2025-05-14 15:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24022",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T15:11:31.622151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T15:12:14.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.12"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.1.3"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop\u0027s portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T14:58:27.761Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-rhv2-wfrr-4j2j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-rhv2-wfrr-4j2j"
}
],
"source": {
"advisory": "GHSA-rhv2-wfrr-4j2j",
"discovery": "UNKNOWN"
},
"title": "iTop server vulnerable to portal code injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24022",
"datePublished": "2025-05-14T14:57:37.960Z",
"dateReserved": "2025-01-16T17:31:06.459Z",
"dateUpdated": "2025-05-14T15:12:14.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15218 (GCVE-0-2020-15218)
Vulnerability from cvelistv5
Published
2021-01-13 16:50
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-613 - Insufficient Session Expiration
Summary
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-3m3g-86hp-5p2j"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-13T16:50:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-3m3g-86hp-5p2j"
}
],
"source": {
"advisory": "GHSA-3m3g-86hp-5p2j",
"discovery": "UNKNOWN"
},
"title": "Admin pages are cached and can be embedded",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15218",
"STATE": "PUBLIC",
"TITLE": "Admin pages are cached and can be embedded"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-3m3g-86hp-5p2j",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-3m3g-86hp-5p2j"
}
]
},
"source": {
"advisory": "GHSA-3m3g-86hp-5p2j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15218",
"datePublished": "2021-01-13T16:50:12",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32664 (GCVE-0-2021-32664)
Vulnerability from cvelistv5
Published
2021-10-19 17:45
Modified
2024-08-03 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is an open source web based IT Service Management tool. In affected versions there is a XSS vulnerability on "run query" page when logged as administrator. This has been resolved in versions 2.6.5 and 2.7.5.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.081Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-j758-ggwg-9mpj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/4f5c987d8b1bd12814dc606ea69b6cfb88490704"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/84741c19f0af6fa8e7082a8807eb089182e7b88a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/86f649affc12b5078efc86d9439d67d98f4cb2f6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.5"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source web based IT Service Management tool. In affected versions there is a XSS vulnerability on \"run query\" page when logged as administrator. This has been resolved in versions 2.6.5 and 2.7.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-19T17:45:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-j758-ggwg-9mpj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/4f5c987d8b1bd12814dc606ea69b6cfb88490704"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/84741c19f0af6fa8e7082a8807eb089182e7b88a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/86f649affc12b5078efc86d9439d67d98f4cb2f6"
}
],
"source": {
"advisory": "GHSA-j758-ggwg-9mpj",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS in Combodo/iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32664",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS in Combodo/iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.6.5"
},
{
"version_value": "\u003e= 2.7.0, \u003c 2.7.5"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is an open source web based IT Service Management tool. In affected versions there is a XSS vulnerability on \"run query\" page when logged as administrator. This has been resolved in versions 2.6.5 and 2.7.5."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-j758-ggwg-9mpj",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-j758-ggwg-9mpj"
},
{
"name": "https://github.com/Combodo/iTop/commit/4f5c987d8b1bd12814dc606ea69b6cfb88490704",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/4f5c987d8b1bd12814dc606ea69b6cfb88490704"
},
{
"name": "https://github.com/Combodo/iTop/commit/84741c19f0af6fa8e7082a8807eb089182e7b88a",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/84741c19f0af6fa8e7082a8807eb089182e7b88a"
},
{
"name": "https://github.com/Combodo/iTop/commit/86f649affc12b5078efc86d9439d67d98f4cb2f6",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/86f649affc12b5078efc86d9439d67d98f4cb2f6"
}
]
},
"source": {
"advisory": "GHSA-j758-ggwg-9mpj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32664",
"datePublished": "2021-10-19T17:45:12",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24785 (GCVE-0-2025-24785)
Vulnerability from cvelistv5
Published
2025-05-14 15:05
Modified
2025-05-14 15:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The next user trying to load this dashboard would encounter a crashed start page. Version 3.2.1 fixes the issue by checking the provided layout_class before saving the dashboard.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24785",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T15:24:33.374095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T15:24:51.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "= 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The next user trying to load this dashboard would encounter a crashed start page. Version 3.2.1 fixes the issue by checking the provided layout_class before saving the dashboard."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T15:05:28.056Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-49rq-cgv9-7hv4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-49rq-cgv9-7hv4"
}
],
"source": {
"advisory": "GHSA-49rq-cgv9-7hv4",
"discovery": "UNKNOWN"
},
"title": "iTop dashboard vulnerable to denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24785",
"datePublished": "2025-05-14T15:05:28.056Z",
"dateReserved": "2025-01-23T17:11:35.835Z",
"dateUpdated": "2025-05-14T15:24:51.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32775 (GCVE-0-2021-32775)
Vulnerability from cvelistv5
Published
2021-07-21 20:20
Modified
2024-08-03 23:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Summary
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/field values through GroupBy Dashlet error message. This issue is fixed in versions 2.7.4 and 3.0.0.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:56.079Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/field values through GroupBy Dashlet error message. This issue is fixed in versions 2.7.4 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T20:20:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq"
}
],
"source": {
"advisory": "GHSA-xh7w-rrp3-fhpq",
"discovery": "UNKNOWN"
},
"title": " Any user can see any fields (including mailbox password) with GroupBy Dashlet",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32775",
"STATE": "PUBLIC",
"TITLE": " Any user can see any fields (including mailbox password) with GroupBy Dashlet"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.4"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/field values through GroupBy Dashlet error message. This issue is fixed in versions 2.7.4 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-209: Generation of Error Message Containing Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq"
}
]
},
"source": {
"advisory": "GHSA-xh7w-rrp3-fhpq",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32775",
"datePublished": "2021-07-21T20:20:09",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:56.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47123 (GCVE-0-2023-47123)
Vulnerability from cvelistv5
Published
2024-04-15 17:31
Modified
2024-08-02 21:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
iTop is an IT service management platform. By filling malicious code in an object friendlyname / complementary name, an XSS attack can be performed when this object will displayed as an n:n relation item in another object. This vulnerability is fixed in 3.1.1 and 3.2.0.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"status": "unknown",
"version": "3.1.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:-:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"status": "unknown",
"version": "3.2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47123",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-19T21:03:01.075263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:26:44.001Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp"
},
{
"name": "https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. By filling malicious code in an object friendlyname / complementary name, an XSS attack can be performed when this object will displayed as an n:n relation item in another object. This vulnerability is fixed in 3.1.1 and 3.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:31:21.407Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp"
},
{
"name": "https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72"
}
],
"source": {
"advisory": "GHSA-mx8x-693w-9hjp",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to XSS vulnerability in n:n relations \"tagset\" widget"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47123",
"datePublished": "2024-04-15T17:31:21.407Z",
"dateReserved": "2023-10-30T19:57:51.676Z",
"dateUpdated": "2024-08-02T21:01:22.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41245 (GCVE-0-2021-41245)
Vulnerability from cvelistv5
Published
2022-04-05 15:05
Modified
2025-04-22 18:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by `privUITransactionFile` aren't properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop config file.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-41245",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:49:06.292415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:17:28.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by `privUITransactionFile` aren\u0027t properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop config file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-05T15:05:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae"
}
],
"source": {
"advisory": "GHSA-33pr-5776-9jqf",
"discovery": "UNKNOWN"
},
"title": "Possible Cross-Site Request Forgery in Combodo iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41245",
"STATE": "PUBLIC",
"TITLE": "Possible Cross-Site Request Forgery in Combodo iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.6"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by `privUITransactionFile` aren\u0027t properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop config file."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf"
},
{
"name": "https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186"
},
{
"name": "https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae",
"refsource": "MISC",
"url": "https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae"
}
]
},
"source": {
"advisory": "GHSA-33pr-5776-9jqf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41245",
"datePublished": "2022-04-05T15:05:11.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:17:28.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49145 (GCVE-0-2025-49145)
Vulnerability from cvelistv5
Published
2025-11-10 21:10
Modified
2025-11-10 21:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T21:42:47.303251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:42:53.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.13"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:10:19.742Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-55q8-mfxr-pq4j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-55q8-mfxr-pq4j"
}
],
"source": {
"advisory": "GHSA-55q8-mfxr-pq4j",
"discovery": "UNKNOWN"
},
"title": "iTop admin can drop iTop database using webhooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49145",
"datePublished": "2025-11-10T21:10:19.742Z",
"dateReserved": "2025-06-02T10:39:41.635Z",
"dateUpdated": "2025-11-10T21:42:53.736Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-12779 (GCVE-0-2020-12779)
Vulnerability from cvelistv5
Published
2020-08-10 02:45
Modified
2024-09-16 16:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Stored XSS
Summary
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"lessThanOrEqual": "2.7.0-beta2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T16:03:55",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Combodo iTop - Stored XSS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-10T03:00:00.000Z",
"ID": "CVE-2020-12779",
"STATE": "PUBLIC",
"TITLE": "Combodo iTop - Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "2.7.0-beta2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stored XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-12779",
"datePublished": "2020-08-10T02:45:38.893251Z",
"dateReserved": "2020-05-11T00:00:00",
"dateUpdated": "2024-09-16T16:27:55.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21407 (GCVE-0-2021-21407)
Vulnerability from cvelistv5
Published
2021-07-21 15:15
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CSRF token validation can be bypassed through iTop portal via a tricky browser procedure. The vulnerability is patched in version 2.7.4 and 3.0.0.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:16.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9wq8-4qm9-3j6f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CSRF token validation can be bypassed through iTop portal via a tricky browser procedure. The vulnerability is patched in version 2.7.4 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T15:15:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9wq8-4qm9-3j6f"
}
],
"source": {
"advisory": "GHSA-9wq8-4qm9-3j6f",
"discovery": "UNKNOWN"
},
"title": "Portal : the CSRF token isn\u0027t validated",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21407",
"STATE": "PUBLIC",
"TITLE": "Portal : the CSRF token isn\u0027t validated"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.4"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CSRF token validation can be bypassed through iTop portal via a tricky browser procedure. The vulnerability is patched in version 2.7.4 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9wq8-4qm9-3j6f",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9wq8-4qm9-3j6f"
}
]
},
"source": {
"advisory": "GHSA-9wq8-4qm9-3j6f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21407",
"datePublished": "2021-07-21T15:15:11",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:16.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51993 (GCVE-0-2024-51993)
Vulnerability from cvelistv5
Published
2024-11-07 17:59
Modified
2024-11-07 18:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Summary
Combodo iTop is a web based IT Service Management tool. An attacker accessing a backup file or the database can read some passwords for misconfigured Users. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. Users unable to upgrade are advised to encrypt their backups independently of the iTop application.
### Patches
Sanitize parameter
### References
N°7631 - Password is stored in clear in the database.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T18:32:31.429198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T18:32:36.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. An attacker accessing a backup file or the database can read some passwords for misconfigured Users. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. Users unable to upgrade are advised to encrypt their backups independently of the iTop application.\n\n### Patches\nSanitize parameter\n\n### References\nN\u00b07631 - Password is stored in clear in the database."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T17:59:18.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9mq5-349x-x427",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9mq5-349x-x427"
}
],
"source": {
"advisory": "GHSA-9mq5-349x-x427",
"discovery": "UNKNOWN"
},
"title": "Password is stored in clear in the database in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51993",
"datePublished": "2024-11-07T17:59:18.617Z",
"dateReserved": "2024-11-04T17:46:16.776Z",
"dateUpdated": "2024-11-07T18:32:36.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24021 (GCVE-0-2025-24021)
Vulnerability from cvelistv5
Published
2025-05-14 14:48
Modified
2025-08-26 13:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24021",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T15:12:47.176574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T13:44:18.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.12"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.1.3"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they\u0027re not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T20:45:11.090Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj"
},
{
"name": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b"
}
],
"source": {
"advisory": "GHSA-c8hm-h9gv-8jpj",
"discovery": "UNKNOWN"
},
"title": "iTop doesn\u0027t have mass assignment of fields in the portal form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24021",
"datePublished": "2025-05-14T14:48:42.694Z",
"dateReserved": "2025-01-16T17:31:06.459Z",
"dateUpdated": "2025-08-26T13:44:18.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15221 (GCVE-0-2020-15221)
Vulnerability from cvelistv5
Published
2021-01-13 17:10
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:23.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-13T17:10:15",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw"
}
],
"source": {
"advisory": "GHSA-w6g2-p7pf-7hvw",
"discovery": "UNKNOWN"
},
"title": "XSS in the breadcrumbs",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15221",
"STATE": "PUBLIC",
"TITLE": "XSS in the breadcrumbs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw"
}
]
},
"source": {
"advisory": "GHSA-w6g2-p7pf-7hvw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15221",
"datePublished": "2021-01-13T17:10:15",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:23.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31998 (GCVE-0-2024-31998)
Vulnerability from cvelistv5
Published
2024-11-04 23:35
Modified
2024-11-05 16:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "3.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:27:03.151474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:27:54.054Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:35:22.676Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-8cwx-q4xh-7c7r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-8cwx-q4xh-7c7r"
}
],
"source": {
"advisory": "GHSA-8cwx-q4xh-7c7r",
"discovery": "UNKNOWN"
},
"title": "CSRF security issue on CSV import in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31998",
"datePublished": "2024-11-04T23:35:22.676Z",
"dateReserved": "2024-04-08T13:48:37.492Z",
"dateUpdated": "2024-11-05T16:27:54.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47286 (GCVE-0-2025-47286)
Vulnerability from cvelistv5
Published
2025-11-10 18:38
Modified
2025-11-10 19:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47286",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T19:25:27.386063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T19:47:01.682Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.13"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T18:38:40.283Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-4w93-rw6g-5m9c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-4w93-rw6g-5m9c"
}
],
"source": {
"advisory": "GHSA-4w93-rw6g-5m9c",
"discovery": "UNKNOWN"
},
"title": "Combodo iTop vulnerable to Remote Code Execution in the backup creation functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47286",
"datePublished": "2025-11-10T18:38:40.283Z",
"dateReserved": "2025-05-05T16:53:10.374Z",
"dateUpdated": "2025-11-10T19:47:01.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-12780 (GCVE-0-2020-12780)
Vulnerability from cvelistv5
Published
2020-08-10 02:45
Modified
2024-09-16 20:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Security Misconfiguration
Summary
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3836-47d6c-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-97cw-cjxc-9x78"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"lessThanOrEqual": "2.7.0-beta2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A security misconfiguration exists in Combodo iTop, which can expose sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Security Misconfiguration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T16:12:22",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3836-47d6c-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-97cw-cjxc-9x78"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Combodo iTop - Security Misconfiguration",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-10T03:00:00.000Z",
"ID": "CVE-2020-12780",
"STATE": "PUBLIC",
"TITLE": "Combodo iTop - Security Misconfiguration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "2.7.0-beta2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A security misconfiguration exists in Combodo iTop, which can expose sensitive information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Security Misconfiguration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3836-47d6c-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3836-47d6c-1.html"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-97cw-cjxc-9x78",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-97cw-cjxc-9x78"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-12780",
"datePublished": "2020-08-10T02:45:39.363087Z",
"dateReserved": "2020-05-11T00:00:00",
"dateUpdated": "2024-09-16T20:06:35.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34443 (GCVE-0-2023-34443)
Vulnerability from cvelistv5
Published
2024-11-04 23:29
Modified
2024-11-05 16:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a simple, web based IT Service Management tool. When displaying page Run queries Cross-site Scripting (XSS) are possible for scripts outside of script tags. This has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:34:20.393006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:34:56.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.9"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. When displaying page Run queries Cross-site Scripting (XSS) are possible for scripts outside of script tags. This has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:29:00.751Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9mx6-pwpp-j3xx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9mx6-pwpp-j3xx"
},
{
"name": "https://huntr.dev/bounties/c230d55d-1f0e-40c3-8c7e-20587d3e54da/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b",
"tags": [
"x_refsource_MISC"
],
"url": "https://huntr.dev/bounties/c230d55d-1f0e-40c3-8c7e-20587d3e54da/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b"
}
],
"source": {
"advisory": "GHSA-9mx6-pwpp-j3xx",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability in the run_query.php page in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34443",
"datePublished": "2024-11-04T23:29:00.751Z",
"dateReserved": "2023-06-06T16:16:53.557Z",
"dateUpdated": "2024-11-05T16:34:56.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48710 (GCVE-0-2023-48710)
Vulnerability from cvelistv5
Published
2024-04-15 17:47
Modified
2024-08-02 21:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Summary
iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module.
The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won't be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.1",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T19:03:48.293598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T19:06:04.001Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:37:54.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc"
},
{
"name": "https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.10"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. \n The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won\u0027t be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552: Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:47:51.113Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc"
},
{
"name": "https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26"
}
],
"source": {
"advisory": "GHSA-g652-q7cc-7hfc",
"discovery": "UNKNOWN"
},
"title": "iTop limit pages/exec.php script to PHP files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48710",
"datePublished": "2024-04-15T17:47:51.113Z",
"dateReserved": "2023-11-17T19:43:37.555Z",
"dateUpdated": "2024-08-02T21:37:54.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34445 (GCVE-0-2023-34445)
Vulnerability from cvelistv5
Published
2024-11-04 23:31
Modified
2024-11-05 16:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.render.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:29:08.695276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:29:52.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.9"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.render.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:31:51.164Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-mm45-wh68-jpvq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-mm45-wh68-jpvq"
}
],
"source": {
"advisory": "GHSA-mm45-wh68-jpvq",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability on pages/ajax.render.php in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34445",
"datePublished": "2024-11-04T23:31:51.164Z",
"dateReserved": "2023-06-06T16:16:53.557Z",
"dateUpdated": "2024-11-05T16:29:52.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38511 (GCVE-0-2023-38511)
Vulnerability from cvelistv5
Published
2024-04-15 17:06
Modified
2024-08-02 17:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38511",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-17T20:37:20.591801Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:28:15.955Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:56.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm"
},
{
"name": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7"
},
{
"name": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab"
},
{
"name": "https://www.synacktiv.com/advisories/file-read-in-itop",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.synacktiv.com/advisories/file-read-in-itop"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:08:27.830Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm"
},
{
"name": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7"
},
{
"name": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab"
},
{
"name": "https://www.synacktiv.com/advisories/file-read-in-itop",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.synacktiv.com/advisories/file-read-in-itop"
}
],
"source": {
"advisory": "GHSA-323r-chx5-m9gm",
"discovery": "UNKNOWN"
},
"title": "iTop Dashboard editor vulnerable dashboard config file parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38511",
"datePublished": "2024-04-15T17:06:35.666Z",
"dateReserved": "2023-07-18T16:28:12.078Z",
"dateUpdated": "2024-08-02T17:46:56.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51740 (GCVE-0-2024-51740)
Vulnerability from cvelistv5
Published
2024-11-05 18:13
Modified
2024-11-05 19:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf of the server, from a low privileged user. The user portal form manager has been fixed to only instantiate classes derived from it. This issue has been addressed in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T19:02:13.526725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T19:02:20.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.11"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.5"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf of the server, from a low privileged user. The user portal form manager has been fixed to only instantiate classes derived from it. This issue has been addressed in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:13:05.227Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-w9g8-mxm5-ph62",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w9g8-mxm5-ph62"
}
],
"source": {
"advisory": "GHSA-w9g8-mxm5-ph62",
"discovery": "UNKNOWN"
},
"title": "SSRF through arbitrary PHP class instantiation in the user portal in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51740",
"datePublished": "2024-11-05T18:13:05.227Z",
"dateReserved": "2024-10-31T14:12:45.789Z",
"dateUpdated": "2024-11-05T19:02:20.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51995 (GCVE-0-2024-51995)
Vulnerability from cvelistv5
Published
2024-11-07 17:55
Modified
2024-11-07 18:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Combodo iTop is a web based IT Service Management tool. An attacker can request any `route` we want as long as we specify an `operation` that is allowed. This issue has been addressed in version 3.2.0 by applying the same access control pattern as in `UI.php` to the `ajax.render.php` page which does not allow arbitrary `routes` to be dispatched. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51995",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T18:16:46.169964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T18:16:51.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. An attacker can request any `route` we want as long as we specify an `operation` that is allowed. This issue has been addressed in version 3.2.0 by applying the same access control pattern as in `UI.php` to the `ajax.render.php` page which does not allow arbitrary `routes` to be dispatched. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T17:55:15.598Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-3mxr-8r3j-j2j9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-3mxr-8r3j-j2j9"
}
],
"source": {
"advisory": "GHSA-3mxr-8r3j-j2j9",
"discovery": "UNKNOWN"
},
"title": "Logic bug in ajax.render.php allows for bypass of \u0027backOffice\u0027 access control in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51995",
"datePublished": "2024-11-07T17:55:15.598Z",
"dateReserved": "2024-11-04T17:46:16.776Z",
"dateUpdated": "2024-11-07T18:16:51.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56157 (GCVE-0-2024-56157)
Vulnerability from cvelistv5
Published
2025-05-14 14:40
Modified
2025-05-14 15:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
iTop is an web based IT Service Management tool. Prior to versions 3.1.3 and 3.2.1, by filling malicious code in a CSV content, a cross-site scripting attack can be performed when importing this content. The issue is fixed in versions 3.1.3 and 3.2.1. As a workaround, check CSV content before importing it.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56157",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T15:13:24.666626Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T15:13:31.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.3"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an web based IT Service Management tool. Prior to versions 3.1.3 and 3.2.1, by filling malicious code in a CSV content, a cross-site scripting attack can be performed when importing this content. The issue is fixed in versions 3.1.3 and 3.2.1. As a workaround, check CSV content before importing it."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T14:40:46.107Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-6p48-74j9-977j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-6p48-74j9-977j"
}
],
"source": {
"advisory": "GHSA-6p48-74j9-977j",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to Self XSS in CSV Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56157",
"datePublished": "2025-05-14T14:40:46.107Z",
"dateReserved": "2024-12-17T18:16:49.853Z",
"dateUpdated": "2025-05-14T15:13:31.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47626 (GCVE-0-2023-47626)
Vulnerability from cvelistv5
Published
2024-04-15 17:36
Modified
2024-08-02 21:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
iTop is an IT service management platform. When displaying/editing the user's personal tokens, XSS attacks are possible. This vulnerability is fixed in 3.1.1.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T14:35:14.923567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T21:03:36.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:42.094Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-vv3v-9vrv-h95h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vv3v-9vrv-h95h"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. When displaying/editing the user\u0027s personal tokens, XSS attacks are possible. This vulnerability is fixed in 3.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:36:08.437Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-vv3v-9vrv-h95h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vv3v-9vrv-h95h"
}
],
"source": {
"advisory": "GHSA-vv3v-9vrv-h95h",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to XSS vulnerability in authent-token"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47626",
"datePublished": "2024-04-15T17:36:08.437Z",
"dateReserved": "2023-11-07T16:57:49.244Z",
"dateUpdated": "2024-08-02T21:16:42.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48878 (GCVE-0-2025-48878)
Vulnerability from cvelistv5
Published
2025-11-10 20:43
Modified
2025-11-10 20:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T20:57:37.992481Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T20:58:47.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn\u0027t be able to do so. Version 3.2.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T20:43:04.366Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-rj75-7cgw-4556",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-rj75-7cgw-4556"
}
],
"source": {
"advisory": "GHSA-rj75-7cgw-4556",
"discovery": "UNKNOWN"
},
"title": "Combodo iTop vulnerable to IDOR with ModuleInstallation object"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48878",
"datePublished": "2025-11-10T20:43:04.366Z",
"dateReserved": "2025-05-27T20:14:34.296Z",
"dateUpdated": "2025-11-10T20:58:47.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-12778 (GCVE-0-2020-12778)
Vulnerability from cvelistv5
Published
2020-08-10 02:45
Modified
2024-09-17 01:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Reflected XSS
Summary
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3834-591e2-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-8vpf-8vjh-5fcv"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"lessThanOrEqual": "2.7.0-beta2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T16:09:58",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3834-591e2-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-8vpf-8vjh-5fcv"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Combodo iTop - Reflected XSS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-10T03:00:00.000Z",
"ID": "CVE-2020-12778",
"STATE": "PUBLIC",
"TITLE": "Combodo iTop - Reflected XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "2.7.0-beta2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Reflected XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3834-591e2-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3834-591e2-1.html"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-8vpf-8vjh-5fcv",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-8vpf-8vjh-5fcv"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-12778",
"datePublished": "2020-08-10T02:45:38.492001Z",
"dateReserved": "2020-05-11T00:00:00",
"dateUpdated": "2024-09-17T01:26:51.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41162 (GCVE-0-2021-41162)
Vulnerability from cvelistv5
Published
2022-04-21 16:45
Modified
2025-04-23 18:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-41162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:53:52.003868Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:33:13.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-beta, \u003c 3.0.0-beta6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-21T16:45:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0"
}
],
"source": {
"advisory": "GHSA-w5jw-hfvp-gx95",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in Combodo iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41162",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting in Combodo iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.0.0-beta, \u003c 3.0.0-beta6"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95"
},
{
"name": "https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0"
}
]
},
"source": {
"advisory": "GHSA-w5jw-hfvp-gx95",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41162",
"datePublished": "2022-04-21T16:45:13.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:33:13.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51994 (GCVE-0-2024-51994)
Vulnerability from cvelistv5
Published
2024-11-07 17:57
Modified
2024-11-07 18:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a web based IT Service Management tool. In affected versions uploading a text file containing some java script in the portal will trigger an Cross-site Scripting (XSS) vulnerability. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51994",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T18:34:24.357112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T18:35:18.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In affected versions uploading a text file containing some java script in the portal will trigger an Cross-site Scripting (XSS) vulnerability. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T17:57:54.681Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-jjph-c25g-5c7g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-jjph-c25g-5c7g"
}
],
"source": {
"advisory": "GHSA-jjph-c25g-5c7g",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in portal picture upload in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51994",
"datePublished": "2024-11-07T17:57:54.681Z",
"dateReserved": "2024-11-04T17:46:16.776Z",
"dateUpdated": "2024-11-07T18:35:18.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39216 (GCVE-0-2022-39216)
Vulnerability from cvelistv5
Published
2023-03-14 15:10
Modified
2025-02-25 14:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-330 - Use of Insufficiently Random Values
Summary
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:42.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm"
},
{
"name": "https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229"
},
{
"name": "https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:29:27.159494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:57:48.211Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.2-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-14T15:10:51.815Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm"
},
{
"name": "https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229"
},
{
"name": "https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b"
}
],
"source": {
"advisory": "GHSA-hggq-48p2-cmhm",
"discovery": "UNKNOWN"
},
"title": "Combodo iTop\u0027s weak password reset token leads to account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39216",
"datePublished": "2023-03-14T15:10:51.815Z",
"dateReserved": "2022-09-02T14:16:35.822Z",
"dateUpdated": "2025-02-25T14:57:48.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27139 (GCVE-0-2025-27139)
Vulnerability from cvelistv5
Published
2025-02-25 19:52
Modified
2025-02-25 20:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 are vulnerable to cross-site scripting when the preferences page is opened. Versions 2.7.12, 3.1.2, and 3.2.0 fix the issue.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27139",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T20:07:30.988040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T20:07:39.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.12"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha, \u003c 3.1.2"
},
{
"status": "affected",
"version": "\u003e= 3.2.0-alpha1, \u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 are vulnerable to cross-site scripting when the preferences page is opened. Versions 2.7.12, 3.1.2, and 3.2.0 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T19:52:15.589Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-c6mg-9537-c8cf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c6mg-9537-c8cf"
}
],
"source": {
"advisory": "GHSA-c6mg-9537-c8cf",
"discovery": "UNKNOWN"
},
"title": "Combodo iTop vulnerable to stored self Cross-site Scripting in preferences"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27139",
"datePublished": "2025-02-25T19:52:15.589Z",
"dateReserved": "2025-02-19T16:30:47.776Z",
"dateUpdated": "2025-02-25T20:07:39.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12781 (GCVE-0-2020-12781)
Vulnerability from cvelistv5
Published
2020-08-10 02:45
Modified
2024-09-16 23:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3837-050db-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-34rq-vfmf-gg5v"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"lessThanOrEqual": "2.7.0-beta2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T16:14:33",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3837-050db-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-34rq-vfmf-gg5v"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Combodo iTop - CSRF",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-10T03:00:00.000Z",
"ID": "CVE-2020-12781",
"STATE": "PUBLIC",
"TITLE": "Combodo iTop - CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "2.7.0-beta2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3837-050db-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3837-050db-1.html"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-34rq-vfmf-gg5v",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-34rq-vfmf-gg5v"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-12781",
"datePublished": "2020-08-10T02:45:39.815408Z",
"dateReserved": "2020-05-11T00:00:00",
"dateUpdated": "2024-09-16T23:26:00.002Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39214 (GCVE-0-2022-39214)
Vulnerability from cvelistv5
Published
2023-03-14 15:10
Modified
2025-02-25 14:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4"
},
{
"name": "https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd"
},
{
"name": "https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39214",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:29:30.838799Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:57:54.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.2-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account\u0027s username. This issue is fixed in versions 2.7.8 and 3.0.2-1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-14T15:10:47.933Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4"
},
{
"name": "https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd"
},
{
"name": "https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa"
}
],
"source": {
"advisory": "GHSA-vj96-j84g-jhx4",
"discovery": "UNKNOWN"
},
"title": "Authenticated users of Combodo iTop can take over any account"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39214",
"datePublished": "2023-03-14T15:10:47.933Z",
"dateReserved": "2022-09-02T14:16:35.821Z",
"dateUpdated": "2025-02-25T14:57:54.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44396 (GCVE-0-2023-44396)
Vulnerability from cvelistv5
Published
2024-04-15 17:13
Modified
2024-08-02 20:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
iTop is an IT service management platform. Dashlet edits ajax endpoints can be used to produce XSS. Fixed in iTop 2.7.10, 3.0.4, and 3.1.1.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T18:01:00.715633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T18:26:42.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-gqqj-jgh6-3x35",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-gqqj-jgh6-3x35"
},
{
"name": "https://github.com/Combodo/iTop/commit/9df92665e08c4bf5d4d8a5a9fe21fd3fb26fb273",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/9df92665e08c4bf5d4d8a5a9fe21fd3fb26fb273"
},
{
"name": "https://github.com/Combodo/iTop/commit/c72cb7e70ebf469ce0ec01f5f9b524e39afe6c7f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/c72cb7e70ebf469ce0ec01f5f9b524e39afe6c7f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.1"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. Dashlet edits ajax endpoints can be used to produce XSS. Fixed in iTop 2.7.10, 3.0.4, and 3.1.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:13:45.144Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-gqqj-jgh6-3x35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-gqqj-jgh6-3x35"
},
{
"name": "https://github.com/Combodo/iTop/commit/9df92665e08c4bf5d4d8a5a9fe21fd3fb26fb273",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/9df92665e08c4bf5d4d8a5a9fe21fd3fb26fb273"
},
{
"name": "https://github.com/Combodo/iTop/commit/c72cb7e70ebf469ce0ec01f5f9b524e39afe6c7f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/c72cb7e70ebf469ce0ec01f5f9b524e39afe6c7f"
}
],
"source": {
"advisory": "GHSA-gqqj-jgh6-3x35",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to XSS in dashlet modifications ajax endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-44396",
"datePublished": "2024-04-15T17:13:45.144Z",
"dateReserved": "2023-09-28T17:56:32.614Z",
"dateUpdated": "2024-08-02T20:07:33.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43790 (GCVE-0-2023-43790)
Vulnerability from cvelistv5
Published
2024-04-15 17:10
Modified
2024-08-02 19:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
iTop is an IT service management platform. By manipulating HTTP queries, a user can inject malicious content in the fields used for the object friendlyname value. This vulnerability is fixed in 3.1.1 and 3.2.0.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43790",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T18:44:58.231949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T16:36:12.279Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97"
},
{
"name": "https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3..1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. By manipulating HTTP queries, a user can inject malicious content in the fields used for the object friendlyname value. This vulnerability is fixed in 3.1.1 and 3.2.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:10:39.144Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97"
},
{
"name": "https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732"
}
],
"source": {
"advisory": "GHSA-96xm-p83r-hm97",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to XSS in friendlyname in object details"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43790",
"datePublished": "2024-04-15T17:10:39.144Z",
"dateReserved": "2023-09-22T14:51:42.338Z",
"dateUpdated": "2024-08-02T19:52:11.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24870 (GCVE-0-2022-24870)
Vulnerability from cvelistv5
Published
2022-04-21 16:40
Modified
2025-04-22 18:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:00.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1625056040123-Combodo/iTop/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.github.com/combodo/itop/commit/ebbf6e56befda2070b00d68c7c3e531a6ce6b59e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24870",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:43:28.875389Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:14:28.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-beta, \u003c 3.0.0-beta3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-21T16:40:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://huntr.dev/bounties/1625056040123-Combodo/iTop/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.github.com/combodo/itop/commit/ebbf6e56befda2070b00d68c7c3e531a6ce6b59e"
}
],
"source": {
"advisory": "GHSA-29h7-jw2p-pcw3",
"discovery": "UNKNOWN"
},
"title": "Stored Cross-site Scripting in Combodo iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24870",
"STATE": "PUBLIC",
"TITLE": "Stored Cross-site Scripting in Combodo iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.0.0-beta, \u003c 3.0.0-beta3"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3"
},
{
"name": "https://huntr.dev/bounties/1625056040123-Combodo/iTop/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b",
"refsource": "MISC",
"url": "https://huntr.dev/bounties/1625056040123-Combodo/iTop/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b"
},
{
"name": "https://www.github.com/combodo/itop/commit/ebbf6e56befda2070b00d68c7c3e531a6ce6b59e",
"refsource": "MISC",
"url": "https://www.github.com/combodo/itop/commit/ebbf6e56befda2070b00d68c7c3e531a6ce6b59e"
}
]
},
"source": {
"advisory": "GHSA-29h7-jw2p-pcw3",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24870",
"datePublished": "2022-04-21T16:40:12.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:14:28.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-64167 (GCVE-0-2025-64167)
Vulnerability from cvelistv5
Published
2025-11-10 21:15
Modified
2025-11-10 21:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T21:43:09.248764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:43:14.849Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.13"
},
{
"status": "affected",
"version": "\u003e= 3.0.0-alpha, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don\u0027t use export.php, which was deprecated. They use export-v2.php instead."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T21:15:11.632Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-pr7w-2cr9-5h38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-pr7w-2cr9-5h38"
}
],
"source": {
"advisory": "GHSA-pr7w-2cr9-5h38",
"discovery": "UNKNOWN"
},
"title": "Combodo iTop vulnerable to reflected XSS in webservices/export.php"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64167",
"datePublished": "2025-11-10T21:15:11.632Z",
"dateReserved": "2025-10-28T21:07:16.438Z",
"dateUpdated": "2025-11-10T21:43:14.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}