All the vulnerabilites related to Combodo - iTop
cve-2024-31448
Vulnerability from cvelistv5
Published
2024-11-04 23:34
Modified
2024-11-05 16:28
Severity ?
EPSS score ?
Summary
Cross-site Scripting vulnerability in link CSV import in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-776w-x6v7-vfwf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "3.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:28:22.368473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:28:45.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. By filling malicious code in a CSV content, an Cross-site Scripting (XSS) attack can be performed when importing this content. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. Users unable to upgrade should validate CSV content before importing it."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:34:19.435Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-776w-x6v7-vfwf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-776w-x6v7-vfwf"
}
],
"source": {
"advisory": "GHSA-776w-x6v7-vfwf",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability in link CSV import in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31448",
"datePublished": "2024-11-04T23:34:19.435Z",
"dateReserved": "2024-04-03T17:55:32.645Z",
"dateUpdated": "2024-11-05T16:28:45.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12778
Vulnerability from cvelistv5
Published
2020-08-10 02:45
Modified
2024-09-17 01:26
Severity ?
EPSS score ?
Summary
Combodo iTop - Reflected XSS
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-3834-591e2-1.html | x_refsource_MISC | |
| https://github.com/Combodo/iTop/security/advisories/GHSA-8vpf-8vjh-5fcv | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3834-591e2-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-8vpf-8vjh-5fcv"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"lessThanOrEqual": "2.7.0-beta2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Reflected XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T16:09:58",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3834-591e2-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-8vpf-8vjh-5fcv"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Combodo iTop - Reflected XSS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-10T03:00:00.000Z",
"ID": "CVE-2020-12778",
"STATE": "PUBLIC",
"TITLE": "Combodo iTop - Reflected XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "2.7.0-beta2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Reflected XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3834-591e2-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3834-591e2-1.html"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-8vpf-8vjh-5fcv",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-8vpf-8vjh-5fcv"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-12778",
"datePublished": "2020-08-10T02:45:38.492001Z",
"dateReserved": "2020-05-11T00:00:00",
"dateUpdated": "2024-09-17T01:26:51.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-21407
Vulnerability from cvelistv5
Published
2021-07-21 15:15
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
Portal : the CSRF token isn't validated
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-9wq8-4qm9-3j6f | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:16.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9wq8-4qm9-3j6f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CSRF token validation can be bypassed through iTop portal via a tricky browser procedure. The vulnerability is patched in version 2.7.4 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T15:15:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9wq8-4qm9-3j6f"
}
],
"source": {
"advisory": "GHSA-9wq8-4qm9-3j6f",
"discovery": "UNKNOWN"
},
"title": "Portal : the CSRF token isn\u0027t validated",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21407",
"STATE": "PUBLIC",
"TITLE": "Portal : the CSRF token isn\u0027t validated"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.4"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CSRF token validation can be bypassed through iTop portal via a tricky browser procedure. The vulnerability is patched in version 2.7.4 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9wq8-4qm9-3j6f",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9wq8-4qm9-3j6f"
}
]
},
"source": {
"advisory": "GHSA-9wq8-4qm9-3j6f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21407",
"datePublished": "2021-07-21T15:15:11",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:16.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2013-0805
Vulnerability from cvelistv5
Published
2014-03-20 16:00
Modified
2024-08-06 14:41
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the search feature in iTop (aka IT Operations Portal) 2.0, 1.2.1, 1.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to pages/UI.php or (2) expression parameter to pages/run_query.php. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.csnc.ch/misc/files/advisories/CVE-2013-0805.txt | x_refsource_MISC | |
| http://secunia.com/advisories/51702 | third-party-advisory, x_refsource_SECUNIA | |
| http://packetstormsecurity.com/files/119767/iTop-Cross-Site-Scripting.html | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/81498 | vdb-entry, x_refsource_XF | |
| http://seclists.org/bugtraq/2013/Jan/102 | mailing-list, x_refsource_BUGTRAQ | |
| http://archives.neohapsis.com/archives/fulldisclosure/2013-01/0208.html | mailing-list, x_refsource_FULLDISC | |
| http://osvdb.org/89574 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:41:47.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.csnc.ch/misc/files/advisories/CVE-2013-0805.txt"
},
{
"name": "51702",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51702"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/119767/iTop-Cross-Site-Scripting.html"
},
{
"name": "itop-ui-runquery-xss(81498)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81498"
},
{
"name": "20130123 CVE-2013-0805 / CSNC-2013-001",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://seclists.org/bugtraq/2013/Jan/102"
},
{
"name": "20130123 CVE-2013-0805",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2013-01/0208.html"
},
{
"name": "89574",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/89574"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-01-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the search feature in iTop (aka IT Operations Portal) 2.0, 1.2.1, 1.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to pages/UI.php or (2) expression parameter to pages/run_query.php. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.csnc.ch/misc/files/advisories/CVE-2013-0805.txt"
},
{
"name": "51702",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51702"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/119767/iTop-Cross-Site-Scripting.html"
},
{
"name": "itop-ui-runquery-xss(81498)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81498"
},
{
"name": "20130123 CVE-2013-0805 / CSNC-2013-001",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://seclists.org/bugtraq/2013/Jan/102"
},
{
"name": "20130123 CVE-2013-0805",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2013-01/0208.html"
},
{
"name": "89574",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/89574"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-0805",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the search feature in iTop (aka IT Operations Portal) 2.0, 1.2.1, 1.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to pages/UI.php or (2) expression parameter to pages/run_query.php. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.csnc.ch/misc/files/advisories/CVE-2013-0805.txt",
"refsource": "MISC",
"url": "https://www.csnc.ch/misc/files/advisories/CVE-2013-0805.txt"
},
{
"name": "51702",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/51702"
},
{
"name": "http://packetstormsecurity.com/files/119767/iTop-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/119767/iTop-Cross-Site-Scripting.html"
},
{
"name": "itop-ui-runquery-xss(81498)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81498"
},
{
"name": "20130123 CVE-2013-0805 / CSNC-2013-001",
"refsource": "BUGTRAQ",
"url": "http://seclists.org/bugtraq/2013/Jan/102"
},
{
"name": "20130123 CVE-2013-0805",
"refsource": "FULLDISC",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2013-01/0208.html"
},
{
"name": "89574",
"refsource": "OSVDB",
"url": "http://osvdb.org/89574"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-0805",
"datePublished": "2014-03-20T16:00:00",
"dateReserved": "2013-01-05T00:00:00",
"dateUpdated": "2024-08-06T14:41:47.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-31403
Vulnerability from cvelistv5
Published
2022-06-14 16:17
Modified
2024-08-03 07:19
Severity ?
EPSS score ?
Summary
ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://sourceforge.net/projects/itop/ | x_refsource_MISC | |
| https://www.itophub.io/ | x_refsource_MISC | |
| https://github.com/IbrahimEkimIsik/CVE/blob/main/CVE-2022-31403 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:19:05.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/itop/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.itophub.io/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/IbrahimEkimIsik/CVE/blob/main/CVE-2022-31403"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-14T16:17:13",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/itop/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.itophub.io/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/IbrahimEkimIsik/CVE/blob/main/CVE-2022-31403"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31403",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sourceforge.net/projects/itop/",
"refsource": "MISC",
"url": "https://sourceforge.net/projects/itop/"
},
{
"name": "https://www.itophub.io/",
"refsource": "MISC",
"url": "https://www.itophub.io/"
},
{
"name": "https://github.com/IbrahimEkimIsik/CVE/blob/main/CVE-2022-31403",
"refsource": "MISC",
"url": "https://github.com/IbrahimEkimIsik/CVE/blob/main/CVE-2022-31403"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-31403",
"datePublished": "2022-06-14T16:17:13",
"dateReserved": "2022-05-23T00:00:00",
"dateUpdated": "2024-08-03T07:19:05.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-48710
Vulnerability from cvelistv5
Published
2024-04-15 17:47
Modified
2024-08-02 21:37
Severity ?
EPSS score ?
Summary
iTop limit pages/exec.php script to PHP files
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.1",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T19:03:48.293598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T19:06:04.001Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:37:54.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc"
},
{
"name": "https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.10"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. \n The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won\u0027t be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552: Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:47:51.113Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc"
},
{
"name": "https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26"
}
],
"source": {
"advisory": "GHSA-g652-q7cc-7hfc",
"discovery": "UNKNOWN"
},
"title": "iTop limit pages/exec.php script to PHP files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48710",
"datePublished": "2024-04-15T17:47:51.113Z",
"dateReserved": "2023-11-17T19:43:37.555Z",
"dateUpdated": "2024-08-02T21:37:54.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-51740
Vulnerability from cvelistv5
Published
2024-11-05 18:13
Modified
2024-11-05 19:02
Severity ?
EPSS score ?
Summary
SSRF through arbitrary PHP class instantiation in the user portal in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-w9g8-mxm5-ph62 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T19:02:13.526725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T19:02:20.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.11"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.5"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf of the server, from a low privileged user. The user portal form manager has been fixed to only instantiate classes derived from it. This issue has been addressed in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:13:05.227Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-w9g8-mxm5-ph62",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w9g8-mxm5-ph62"
}
],
"source": {
"advisory": "GHSA-w9g8-mxm5-ph62",
"discovery": "UNKNOWN"
},
"title": "SSRF through arbitrary PHP class instantiation in the user portal in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51740",
"datePublished": "2024-11-05T18:13:05.227Z",
"dateReserved": "2024-10-31T14:12:45.789Z",
"dateUpdated": "2024-11-05T19:02:20.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41245
Vulnerability from cvelistv5
Published
2022-04-05 15:05
Modified
2024-08-04 03:08
Severity ?
EPSS score ?
Summary
Possible Cross-Site Request Forgery in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186 | x_refsource_MISC | |
| https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:08:31.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by `privUITransactionFile` aren\u0027t properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop config file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-05T15:05:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae"
}
],
"source": {
"advisory": "GHSA-33pr-5776-9jqf",
"discovery": "UNKNOWN"
},
"title": "Possible Cross-Site Request Forgery in Combodo iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41245",
"STATE": "PUBLIC",
"TITLE": "Possible Cross-Site Request Forgery in Combodo iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.6"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by `privUITransactionFile` aren\u0027t properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop config file."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf"
},
{
"name": "https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186"
},
{
"name": "https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae",
"refsource": "MISC",
"url": "https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae"
}
]
},
"source": {
"advisory": "GHSA-33pr-5776-9jqf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41245",
"datePublished": "2022-04-05T15:05:11",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T03:08:31.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47626
Vulnerability from cvelistv5
Published
2024-04-15 17:36
Modified
2024-08-02 21:16
Severity ?
EPSS score ?
Summary
iTop vulnerable to XSS vulnerability in authent-token
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-vv3v-9vrv-h95h | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T14:35:14.923567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T21:03:36.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:42.094Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-vv3v-9vrv-h95h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vv3v-9vrv-h95h"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. When displaying/editing the user\u0027s personal tokens, XSS attacks are possible. This vulnerability is fixed in 3.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:36:08.437Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-vv3v-9vrv-h95h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vv3v-9vrv-h95h"
}
],
"source": {
"advisory": "GHSA-vv3v-9vrv-h95h",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to XSS vulnerability in authent-token"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47626",
"datePublished": "2024-04-15T17:36:08.437Z",
"dateReserved": "2023-11-07T16:57:49.244Z",
"dateUpdated": "2024-08-02T21:16:42.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-43790
Vulnerability from cvelistv5
Published
2024-04-15 17:10
Modified
2024-08-02 19:52
Severity ?
EPSS score ?
Summary
iTop vulnerable to XSS in friendlyname in object details
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97 | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43790",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T18:44:58.231949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T16:36:12.279Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97"
},
{
"name": "https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3..1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. By manipulating HTTP queries, a user can inject malicious content in the fields used for the object friendlyname value. This vulnerability is fixed in 3.1.1 and 3.2.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:10:39.144Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97"
},
{
"name": "https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732"
}
],
"source": {
"advisory": "GHSA-96xm-p83r-hm97",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to XSS in friendlyname in object details"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43790",
"datePublished": "2024-04-15T17:10:39.144Z",
"dateReserved": "2023-09-22T14:51:42.338Z",
"dateUpdated": "2024-08-02T19:52:11.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-44396
Vulnerability from cvelistv5
Published
2024-04-15 17:13
Modified
2024-08-02 20:07
Severity ?
EPSS score ?
Summary
iTop vulnerable to XSS in dashlet modifications ajax endpoints
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-gqqj-jgh6-3x35 | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/9df92665e08c4bf5d4d8a5a9fe21fd3fb26fb273 | x_refsource_MISC | |
| https://github.com/Combodo/iTop/commit/c72cb7e70ebf469ce0ec01f5f9b524e39afe6c7f | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T18:01:00.715633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T18:26:42.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-gqqj-jgh6-3x35",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-gqqj-jgh6-3x35"
},
{
"name": "https://github.com/Combodo/iTop/commit/9df92665e08c4bf5d4d8a5a9fe21fd3fb26fb273",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/9df92665e08c4bf5d4d8a5a9fe21fd3fb26fb273"
},
{
"name": "https://github.com/Combodo/iTop/commit/c72cb7e70ebf469ce0ec01f5f9b524e39afe6c7f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/c72cb7e70ebf469ce0ec01f5f9b524e39afe6c7f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.1"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. Dashlet edits ajax endpoints can be used to produce XSS. Fixed in iTop 2.7.10, 3.0.4, and 3.1.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:13:45.144Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-gqqj-jgh6-3x35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-gqqj-jgh6-3x35"
},
{
"name": "https://github.com/Combodo/iTop/commit/9df92665e08c4bf5d4d8a5a9fe21fd3fb26fb273",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/9df92665e08c4bf5d4d8a5a9fe21fd3fb26fb273"
},
{
"name": "https://github.com/Combodo/iTop/commit/c72cb7e70ebf469ce0ec01f5f9b524e39afe6c7f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/c72cb7e70ebf469ce0ec01f5f9b524e39afe6c7f"
}
],
"source": {
"advisory": "GHSA-gqqj-jgh6-3x35",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to XSS in dashlet modifications ajax endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-44396",
"datePublished": "2024-04-15T17:13:45.144Z",
"dateReserved": "2023-09-28T17:56:32.614Z",
"dateUpdated": "2024-08-02T20:07:33.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-52002
Vulnerability from cvelistv5
Published
2024-11-08 22:16
Modified
2024-11-12 15:23
Severity ?
EPSS score ?
Summary
Cross-Site Request Forgery (CSRF) in several iTop pages
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:23:11.845832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:23:26.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T22:16:35.543Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm"
}
],
"source": {
"advisory": "GHSA-xr4x-xq7v-7gqm",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery (CSRF) in several iTop pages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52002",
"datePublished": "2024-11-08T22:16:35.543Z",
"dateReserved": "2024-11-04T17:46:16.778Z",
"dateUpdated": "2024-11-12T15:23:26.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-34447
Vulnerability from cvelistv5
Published
2023-10-25 15:35
Modified
2024-09-11 20:36
Severity ?
EPSS score ?
Summary
iTop XSS vulnerability on pages/UI.php
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-6rfm-2rwg-mj7p | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33 | x_refsource_MISC | |
| https://github.com/Combodo/iTop/commit/b8f61362f570e1ef8127175331012b7fc8aba802 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:07.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-6rfm-2rwg-mj7p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-6rfm-2rwg-mj7p"
},
{
"name": "https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33"
},
{
"name": "https://github.com/Combodo/iTop/commit/b8f61362f570e1ef8127175331012b7fc8aba802",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/b8f61362f570e1ef8127175331012b7fc8aba802"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T20:36:43.055666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T20:36:52.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, on `pages/UI.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T15:35:24.730Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-6rfm-2rwg-mj7p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-6rfm-2rwg-mj7p"
},
{
"name": "https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33"
},
{
"name": "https://github.com/Combodo/iTop/commit/b8f61362f570e1ef8127175331012b7fc8aba802",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/b8f61362f570e1ef8127175331012b7fc8aba802"
}
],
"source": {
"advisory": "GHSA-6rfm-2rwg-mj7p",
"discovery": "UNKNOWN"
},
"title": "iTop XSS vulnerability on pages/UI.php "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34447",
"datePublished": "2023-10-25T15:35:24.730Z",
"dateReserved": "2023-06-06T16:16:53.558Z",
"dateUpdated": "2024-09-11T20:36:52.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24870
Vulnerability from cvelistv5
Published
2022-04-21 16:40
Modified
2024-08-03 04:29
Severity ?
EPSS score ?
Summary
Stored Cross-site Scripting in Combodo iTop
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:00.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1625056040123-Combodo/iTop/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.github.com/combodo/itop/commit/ebbf6e56befda2070b00d68c7c3e531a6ce6b59e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-beta, \u003c 3.0.0-beta3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-21T16:40:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://huntr.dev/bounties/1625056040123-Combodo/iTop/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.github.com/combodo/itop/commit/ebbf6e56befda2070b00d68c7c3e531a6ce6b59e"
}
],
"source": {
"advisory": "GHSA-29h7-jw2p-pcw3",
"discovery": "UNKNOWN"
},
"title": "Stored Cross-site Scripting in Combodo iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24870",
"STATE": "PUBLIC",
"TITLE": "Stored Cross-site Scripting in Combodo iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.0.0-beta, \u003c 3.0.0-beta3"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3"
},
{
"name": "https://huntr.dev/bounties/1625056040123-Combodo/iTop/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b",
"refsource": "MISC",
"url": "https://huntr.dev/bounties/1625056040123-Combodo/iTop/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b"
},
{
"name": "https://www.github.com/combodo/itop/commit/ebbf6e56befda2070b00d68c7c3e531a6ce6b59e",
"refsource": "MISC",
"url": "https://www.github.com/combodo/itop/commit/ebbf6e56befda2070b00d68c7c3e531a6ce6b59e"
}
]
},
"source": {
"advisory": "GHSA-29h7-jw2p-pcw3",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24870",
"datePublished": "2022-04-21T16:40:12",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:29:00.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-34443
Vulnerability from cvelistv5
Published
2024-11-04 23:29
Modified
2024-11-05 16:34
Severity ?
EPSS score ?
Summary
Cross-site Scripting vulnerability in the run_query.php page in Combodo iTop
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:34:20.393006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:34:56.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.9"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. When displaying page Run queries Cross-site Scripting (XSS) are possible for scripts outside of script tags. This has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:29:00.751Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9mx6-pwpp-j3xx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9mx6-pwpp-j3xx"
},
{
"name": "https://huntr.dev/bounties/c230d55d-1f0e-40c3-8c7e-20587d3e54da/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b",
"tags": [
"x_refsource_MISC"
],
"url": "https://huntr.dev/bounties/c230d55d-1f0e-40c3-8c7e-20587d3e54da/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b"
}
],
"source": {
"advisory": "GHSA-9mx6-pwpp-j3xx",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability in the run_query.php page in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34443",
"datePublished": "2024-11-04T23:29:00.751Z",
"dateReserved": "2023-06-06T16:16:53.557Z",
"dateUpdated": "2024-11-05T16:34:56.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47488
Vulnerability from cvelistv5
Published
2023-11-09 00:00
Modified
2024-08-02 21:09
Severity ?
EPSS score ?
Summary
Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a crafted script to the attrib_manager_id parameter in the General Information page and the id parameter in the contact page.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:09:37.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugplorer.github.io/cve-xss-itop/"
},
{
"tags": [
"x_transferred"
],
"url": "https://nitipoom-jar.github.io/CVE-2023-47488/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a crafted script to the attrib_manager_id parameter in the General Information page and the id parameter in the contact page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-08T20:02:28.691666",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugplorer.github.io/cve-xss-itop/"
},
{
"url": "https://nitipoom-jar.github.io/CVE-2023-47488/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-47488",
"datePublished": "2023-11-09T00:00:00",
"dateReserved": "2023-11-06T00:00:00",
"dateUpdated": "2024-08-02T21:09:37.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11215
Vulnerability from cvelistv5
Published
2020-02-14 17:31
Modified
2024-08-04 22:48
Severity ?
EPSS score ?
Summary
In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload. Many conditions can place the configuration file into a writable state: during installation; during upgrade; in certain cases, an error during modification of the file from the web interface leaves the file writable (can be triggered with XSS); a race condition can be triggered by the hub-connector module (community version only from 2.4.1 to 2.6.0); or editing the file in a CLI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.itophub.io/wiki/page?id=2_6_0:release:change_log | x_refsource_MISC | |
| https://0day.love/itop_vulnerabilities_disclosure.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:08.966Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.itophub.io/wiki/page?id=2_6_0:release:change_log"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload. Many conditions can place the configuration file into a writable state: during installation; during upgrade; in certain cases, an error during modification of the file from the web interface leaves the file writable (can be triggered with XSS); a race condition can be triggered by the hub-connector module (community version only from 2.4.1 to 2.6.0); or editing the file in a CLI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-14T17:31:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.itophub.io/wiki/page?id=2_6_0:release:change_log"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11215",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload. Many conditions can place the configuration file into a writable state: during installation; during upgrade; in certain cases, an error during modification of the file from the web interface leaves the file writable (can be triggered with XSS); a race condition can be triggered by the hub-connector module (community version only from 2.4.1 to 2.6.0); or editing the file in a CLI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.itophub.io/wiki/page?id=2_6_0:release:change_log",
"refsource": "MISC",
"url": "https://www.itophub.io/wiki/page?id=2_6_0:release:change_log"
},
{
"name": "https://0day.love/itop_vulnerabilities_disclosure.pdf",
"refsource": "MISC",
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11215",
"datePublished": "2020-02-14T17:31:29",
"dateReserved": "2019-04-12T00:00:00",
"dateUpdated": "2024-08-04T22:48:08.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-48709
Vulnerability from cvelistv5
Published
2024-04-15 17:43
Modified
2024-08-02 21:37
Severity ?
EPSS score ?
Summary
iTop vulnerable to potential formula injection in Excel/CSV export file
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9 | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a | x_refsource_MISC | |
| https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"status": "affected",
"version": "2.7.8"
},
{
"status": "affected",
"version": "3.0.3"
},
{
"status": "affected",
"version": "3.1.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48709",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T20:03:47.109888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T20:05:33.014Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:37:54.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9"
},
{
"name": "https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a"
},
{
"name": "https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.9"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users\u0027 inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:43:05.871Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9"
},
{
"name": "https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a"
},
{
"name": "https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c"
}
],
"source": {
"advisory": "GHSA-9q3x-9987-53x9",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to potential formula injection in Excel/CSV export file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48709",
"datePublished": "2024-04-15T17:43:05.871Z",
"dateReserved": "2023-11-17T19:43:37.555Z",
"dateUpdated": "2024-08-02T21:37:54.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-19821
Vulnerability from cvelistv5
Published
2020-03-16 17:15
Modified
2024-08-05 02:25
Severity ?
EPSS score ?
Summary
A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.combodo.com/itop-193 | x_refsource_MISC | |
| https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combodo_itop/ | x_refsource_MISC | |
| https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:25:12.773Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.combodo.com/itop-193"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combodo_itop/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-02T17:11:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.combodo.com/itop-193"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combodo_itop/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-19821",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.combodo.com/itop-193",
"refsource": "MISC",
"url": "https://www.combodo.com/itop-193"
},
{
"name": "https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combodo_itop/",
"refsource": "MISC",
"url": "https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combodo_itop/"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-19821",
"datePublished": "2020-03-16T17:15:50",
"dateReserved": "2019-12-16T00:00:00",
"dateUpdated": "2024-08-05T02:25:12.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-52001
Vulnerability from cvelistv5
Published
2024-11-08 22:18
Modified
2024-11-12 15:22
Severity ?
EPSS score ?
Summary
Portal user is able to access forbidden services information in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-9p26-v3wj-6q34 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:19:19.544890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:22:35.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users are able to access forbidden services information. This issue has been addressed in version 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T22:18:17.828Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9p26-v3wj-6q34",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9p26-v3wj-6q34"
}
],
"source": {
"advisory": "GHSA-9p26-v3wj-6q34",
"discovery": "UNKNOWN"
},
"title": "Portal user is able to access forbidden services information in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52001",
"datePublished": "2024-11-08T22:18:17.828Z",
"dateReserved": "2024-11-04T17:46:16.778Z",
"dateUpdated": "2024-11-12T15:22:35.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-34446
Vulnerability from cvelistv5
Published
2023-10-25 15:35
Modified
2024-09-10 20:42
Severity ?
EPSS score ?
Summary
iTop XSS vulnerability on pages/preferences.php
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-q4pp-j46r-gm68 | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/e3ba826e5dfd3b724f1ee97bebfd20ded3c70b10 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:10:07.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-q4pp-j46r-gm68",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q4pp-j46r-gm68"
},
{
"name": "https://github.com/Combodo/iTop/commit/e3ba826e5dfd3b724f1ee97bebfd20ded3c70b10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/e3ba826e5dfd3b724f1ee97bebfd20ded3c70b10"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "3.0.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T20:40:03.773519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T20:42:19.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, when displaying `pages/preferences.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T15:35:21.187Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-q4pp-j46r-gm68",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q4pp-j46r-gm68"
},
{
"name": "https://github.com/Combodo/iTop/commit/e3ba826e5dfd3b724f1ee97bebfd20ded3c70b10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/e3ba826e5dfd3b724f1ee97bebfd20ded3c70b10"
}
],
"source": {
"advisory": "GHSA-q4pp-j46r-gm68",
"discovery": "UNKNOWN"
},
"title": "iTop XSS vulnerability on pages/preferences.php "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34446",
"datePublished": "2023-10-25T15:35:21.187Z",
"dateReserved": "2023-06-06T16:16:53.557Z",
"dateUpdated": "2024-09-10T20:42:19.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32776
Vulnerability from cvelistv5
Published
2021-07-21 20:25
Modified
2024-08-03 23:33
Severity ?
EPSS score ?
Summary
No CSRF form token cleanup on Windows servers
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-cxw7-2x7h-f7pr | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-cxw7-2x7h-f7pr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T20:25:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-cxw7-2x7h-f7pr"
}
],
"source": {
"advisory": "GHSA-cxw7-2x7h-f7pr",
"discovery": "UNKNOWN"
},
"title": "No CSRF form token cleanup on Windows servers",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32776",
"STATE": "PUBLIC",
"TITLE": "No CSRF form token cleanup on Windows servers"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.4"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-cxw7-2x7h-f7pr",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-cxw7-2x7h-f7pr"
}
]
},
"source": {
"advisory": "GHSA-cxw7-2x7h-f7pr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32776",
"datePublished": "2021-07-21T20:25:09",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:55.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13967
Vulnerability from cvelistv5
Published
2020-02-14 21:03
Modified
2024-08-05 00:05
Severity ?
EPSS score ?
Summary
iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile URI. This only affects the community version.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log | x_refsource_MISC | |
| https://0day.love/itop_vulnerabilities_disclosure.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:05:44.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production\u0026exec_module=itop-hub-connector\u0026exec_page=ajax.php\u0026operation=compile URI. This only affects the community version."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-14T21:03:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13967",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production\u0026exec_module=itop-hub-connector\u0026exec_page=ajax.php\u0026operation=compile URI. This only affects the community version."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log",
"refsource": "MISC",
"url": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log"
},
{
"name": "https://0day.love/itop_vulnerabilities_disclosure.pdf",
"refsource": "MISC",
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13967",
"datePublished": "2020-02-14T21:03:45",
"dateReserved": "2019-07-18T00:00:00",
"dateUpdated": "2024-08-05T00:05:44.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-10642
Vulnerability from cvelistv5
Published
2018-05-02 07:00
Modified
2024-08-05 07:46
Severity ?
EPSS score ?
Summary
Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval().
References
| ▼ | URL | Tags |
|---|---|---|
| https://sourceforge.net/p/itop/tickets/1585/ | x_refsource_CONFIRM | |
| https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:46.045Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://sourceforge.net/p/itop/tickets/1585/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-05-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval()."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-14T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://sourceforge.net/p/itop/tickets/1585/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-10642",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval()."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sourceforge.net/p/itop/tickets/1585/",
"refsource": "CONFIRM",
"url": "https://sourceforge.net/p/itop/tickets/1585/"
},
{
"name": "https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt",
"refsource": "MISC",
"url": "https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-10642",
"datePublished": "2018-05-02T07:00:00",
"dateReserved": "2018-05-02T00:00:00",
"dateUpdated": "2024-08-05T07:46:46.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-51994
Vulnerability from cvelistv5
Published
2024-11-07 17:57
Modified
2024-11-07 18:35
Severity ?
EPSS score ?
Summary
Cross-site Scripting in portal picture upload in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-jjph-c25g-5c7g | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51994",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T18:34:24.357112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T18:35:18.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In affected versions uploading a text file containing some java script in the portal will trigger an Cross-site Scripting (XSS) vulnerability. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T17:57:54.681Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-jjph-c25g-5c7g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-jjph-c25g-5c7g"
}
],
"source": {
"advisory": "GHSA-jjph-c25g-5c7g",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in portal picture upload in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51994",
"datePublished": "2024-11-07T17:57:54.681Z",
"dateReserved": "2024-11-04T17:46:16.776Z",
"dateUpdated": "2024-11-07T18:35:18.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12779
Vulnerability from cvelistv5
Published
2020-08-10 02:45
Modified
2024-09-16 16:27
Severity ?
EPSS score ?
Summary
Combodo iTop - Stored XSS
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html | x_refsource_MISC | |
| https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"lessThanOrEqual": "2.7.0-beta2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Stored XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T16:03:55",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Combodo iTop - Stored XSS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-10T03:00:00.000Z",
"ID": "CVE-2020-12779",
"STATE": "PUBLIC",
"TITLE": "Combodo iTop - Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "2.7.0-beta2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Stored XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-12779",
"datePublished": "2020-08-10T02:45:38.893251Z",
"dateReserved": "2020-05-11T00:00:00",
"dateUpdated": "2024-09-16T16:27:55.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-21406
Vulnerability from cvelistv5
Published
2021-07-21 15:05
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
Command Injection vulnerability in the Setup Wizard
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:16.146Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T15:05:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x"
}
],
"source": {
"advisory": "GHSA-pf95-6h7q-q85x",
"discovery": "UNKNOWN"
},
"title": "Command Injection vulnerability in the Setup Wizard",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21406",
"STATE": "PUBLIC",
"TITLE": "Command Injection vulnerability in the Setup Wizard"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.4"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-pf95-6h7q-q85x"
}
]
},
"source": {
"advisory": "GHSA-pf95-6h7q-q85x",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21406",
"datePublished": "2021-07-21T15:05:10",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:16.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12781
Vulnerability from cvelistv5
Published
2020-08-10 02:45
Modified
2024-09-16 23:26
Severity ?
EPSS score ?
Summary
Combodo iTop - CSRF
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-3837-050db-1.html | x_refsource_MISC | |
| https://github.com/Combodo/iTop/security/advisories/GHSA-34rq-vfmf-gg5v | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3837-050db-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-34rq-vfmf-gg5v"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"lessThanOrEqual": "2.7.0-beta2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T16:14:33",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3837-050db-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-34rq-vfmf-gg5v"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Combodo iTop - CSRF",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-10T03:00:00.000Z",
"ID": "CVE-2020-12781",
"STATE": "PUBLIC",
"TITLE": "Combodo iTop - CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "2.7.0-beta2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3837-050db-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3837-050db-1.html"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-34rq-vfmf-gg5v",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-34rq-vfmf-gg5v"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-12781",
"datePublished": "2020-08-10T02:45:39.815408Z",
"dateReserved": "2020-05-11T00:00:00",
"dateUpdated": "2024-09-16T23:26:00.002Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32664
Vulnerability from cvelistv5
Published
2021-10-19 17:45
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
Reflected XSS in Combodo/iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-j758-ggwg-9mpj | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/4f5c987d8b1bd12814dc606ea69b6cfb88490704 | x_refsource_MISC | |
| https://github.com/Combodo/iTop/commit/84741c19f0af6fa8e7082a8807eb089182e7b88a | x_refsource_MISC | |
| https://github.com/Combodo/iTop/commit/86f649affc12b5078efc86d9439d67d98f4cb2f6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.081Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-j758-ggwg-9mpj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/4f5c987d8b1bd12814dc606ea69b6cfb88490704"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/84741c19f0af6fa8e7082a8807eb089182e7b88a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/86f649affc12b5078efc86d9439d67d98f4cb2f6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.5"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source web based IT Service Management tool. In affected versions there is a XSS vulnerability on \"run query\" page when logged as administrator. This has been resolved in versions 2.6.5 and 2.7.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-19T17:45:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-j758-ggwg-9mpj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/4f5c987d8b1bd12814dc606ea69b6cfb88490704"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/84741c19f0af6fa8e7082a8807eb089182e7b88a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/86f649affc12b5078efc86d9439d67d98f4cb2f6"
}
],
"source": {
"advisory": "GHSA-j758-ggwg-9mpj",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS in Combodo/iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32664",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS in Combodo/iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.6.5"
},
{
"version_value": "\u003e= 2.7.0, \u003c 2.7.5"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is an open source web based IT Service Management tool. In affected versions there is a XSS vulnerability on \"run query\" page when logged as administrator. This has been resolved in versions 2.6.5 and 2.7.5."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-j758-ggwg-9mpj",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-j758-ggwg-9mpj"
},
{
"name": "https://github.com/Combodo/iTop/commit/4f5c987d8b1bd12814dc606ea69b6cfb88490704",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/4f5c987d8b1bd12814dc606ea69b6cfb88490704"
},
{
"name": "https://github.com/Combodo/iTop/commit/84741c19f0af6fa8e7082a8807eb089182e7b88a",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/84741c19f0af6fa8e7082a8807eb089182e7b88a"
},
{
"name": "https://github.com/Combodo/iTop/commit/86f649affc12b5078efc86d9439d67d98f4cb2f6",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/86f649affc12b5078efc86d9439d67d98f4cb2f6"
}
]
},
"source": {
"advisory": "GHSA-j758-ggwg-9mpj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32664",
"datePublished": "2021-10-19T17:45:12",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24780
Vulnerability from cvelistv5
Published
2022-04-05 18:30
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
Code Injection in Combodo iTop
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://markus-krell.de/itop-template-injection-inside-customer-portal/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-23T15:06:07",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://markus-krell.de/itop-template-injection-inside-customer-portal/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html"
}
],
"source": {
"advisory": "GHSA-v97m-wgxq-rh54",
"discovery": "UNKNOWN"
},
"title": "Code Injection in Combodo iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24780",
"STATE": "PUBLIC",
"TITLE": "Code Injection in Combodo iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.6"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54"
},
{
"name": "https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3"
},
{
"name": "https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b"
},
{
"name": "https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305"
},
{
"name": "https://markus-krell.de/itop-template-injection-inside-customer-portal/",
"refsource": "MISC",
"url": "https://markus-krell.de/itop-template-injection-inside-customer-portal/"
},
{
"name": "http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html"
}
]
},
"source": {
"advisory": "GHSA-v97m-wgxq-rh54",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24780",
"datePublished": "2022-04-05T18:30:18",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:20:50.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12780
Vulnerability from cvelistv5
Published
2020-08-10 02:45
Modified
2024-09-16 20:06
Severity ?
EPSS score ?
Summary
Combodo iTop - Security Misconfiguration
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-3836-47d6c-1.html | x_refsource_MISC | |
| https://github.com/Combodo/iTop/security/advisories/GHSA-97cw-cjxc-9x78 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3836-47d6c-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-97cw-cjxc-9x78"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"lessThanOrEqual": "2.7.0-beta2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A security misconfiguration exists in Combodo iTop, which can expose sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Security Misconfiguration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T16:12:22",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3836-47d6c-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-97cw-cjxc-9x78"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Combodo iTop - Security Misconfiguration",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-10T03:00:00.000Z",
"ID": "CVE-2020-12780",
"STATE": "PUBLIC",
"TITLE": "Combodo iTop - Security Misconfiguration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "2.7.0-beta2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A security misconfiguration exists in Combodo iTop, which can expose sensitive information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Security Misconfiguration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3836-47d6c-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3836-47d6c-1.html"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-97cw-cjxc-9x78",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-97cw-cjxc-9x78"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-12780",
"datePublished": "2020-08-10T02:45:39.363087Z",
"dateReserved": "2020-05-11T00:00:00",
"dateUpdated": "2024-09-16T20:06:35.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-12777
Vulnerability from cvelistv5
Published
2020-08-10 02:45
Modified
2024-09-17 03:22
Severity ?
EPSS score ?
Summary
Combodo iTop - Broken Access Control
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.twcert.org.tw/tw/cp-132-3833-46ae7-1.html | x_refsource_MISC | |
| https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.895Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3833-46ae7-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"lessThanOrEqual": "2.7.0-beta2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-25T16:16:58",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3833-46ae7-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Combodo iTop - Broken Access Control",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-08-10T03:00:00.000Z",
"ID": "CVE-2020-12777",
"STATE": "PUBLIC",
"TITLE": "Combodo iTop - Broken Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "2.7.0-beta2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3833-46ae7-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3833-46ae7-1.html"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 2.7.1"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-12777",
"datePublished": "2020-08-10T02:45:38.090892Z",
"dateReserved": "2020-05-11T00:00:00",
"dateUpdated": "2024-09-17T03:22:24.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24811
Vulnerability from cvelistv5
Published
2022-04-05 18:35
Modified
2024-08-03 04:20
Severity ?
EPSS score ?
Summary
Cross-site Scripting in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4 | x_refsource_MISC | |
| https://huntr.dev/bounties/1625056478879-Combodo/iTop/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://huntr.dev/bounties/1625056478879-Combodo/iTop/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-05T18:35:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://huntr.dev/bounties/1625056478879-Combodo/iTop/"
}
],
"source": {
"advisory": "GHSA-67x5-mqg4-rvgc",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in Combodo iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24811",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting in Combodo iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.6"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc"
},
{
"name": "https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4"
},
{
"name": "https://huntr.dev/bounties/1625056478879-Combodo/iTop/",
"refsource": "MISC",
"url": "https://huntr.dev/bounties/1625056478879-Combodo/iTop/"
}
]
},
"source": {
"advisory": "GHSA-67x5-mqg4-rvgc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24811",
"datePublished": "2022-04-05T18:35:11",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:20:50.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-52000
Vulnerability from cvelistv5
Published
2024-11-08 22:20
Modified
2024-11-12 15:59
Severity ?
EPSS score ?
Summary
Reflected Cross-site Scripting exploit in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52000",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:58:58.399828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:59:23.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request\u0027s payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T22:20:02.422Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg"
}
],
"source": {
"advisory": "GHSA-r58g-p5r9-8hfg",
"discovery": "UNKNOWN"
},
"title": "Reflected Cross-site Scripting exploit in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52000",
"datePublished": "2024-11-08T22:20:02.422Z",
"dateReserved": "2024-11-04T17:46:16.778Z",
"dateUpdated": "2024-11-12T15:59:23.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-31998
Vulnerability from cvelistv5
Published
2024-11-04 23:35
Modified
2024-11-05 16:27
Severity ?
EPSS score ?
Summary
CSRF security issue on CSV import in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-8cwx-q4xh-7c7r | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "3.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31998",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:27:03.151474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:27:54.054Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:35:22.676Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-8cwx-q4xh-7c7r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-8cwx-q4xh-7c7r"
}
],
"source": {
"advisory": "GHSA-8cwx-q4xh-7c7r",
"discovery": "UNKNOWN"
},
"title": "CSRF security issue on CSV import in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31998",
"datePublished": "2024-11-04T23:35:22.676Z",
"dateReserved": "2024-04-08T13:48:37.492Z",
"dateUpdated": "2024-11-05T16:27:54.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-11697
Vulnerability from cvelistv5
Published
2020-06-05 21:01
Modified
2024-08-04 11:35
Severity ?
EPSS score ?
Summary
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3A2_7_whats_new | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/security/advisories/GHSA-xfh9-5632-hxmv | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:35:13.762Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3A2_7_whats_new"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xfh9-5632-hxmv"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-06-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-05T21:01:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3A2_7_whats_new"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xfh9-5632-hxmv"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-11697",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3A2_7_whats_new",
"refsource": "CONFIRM",
"url": "https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3A2_7_whats_new"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-xfh9-5632-hxmv",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xfh9-5632-hxmv"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-11697",
"datePublished": "2020-06-05T21:01:27",
"dateReserved": "2020-04-10T00:00:00",
"dateUpdated": "2024-08-04T11:35:13.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-34445
Vulnerability from cvelistv5
Published
2024-11-04 23:31
Modified
2024-11-05 16:29
Severity ?
EPSS score ?
Summary
Cross-site Scripting vulnerability on pages/ajax.render.php in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-mm45-wh68-jpvq | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:29:08.695276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:29:52.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.9"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.render.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:31:51.164Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-mm45-wh68-jpvq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-mm45-wh68-jpvq"
}
],
"source": {
"advisory": "GHSA-mm45-wh68-jpvq",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability on pages/ajax.render.php in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34445",
"datePublished": "2024-11-04T23:31:51.164Z",
"dateReserved": "2023-06-06T16:16:53.557Z",
"dateUpdated": "2024-11-05T16:29:52.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47622
Vulnerability from cvelistv5
Published
2024-04-15 17:34
Modified
2024-08-02 21:16
Severity ?
EPSS score ?
Summary
iTop vulnerable to XSS vulnerability in dashlet refresh
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/09be84f69da0fe44221f63b8c2db041bdf7dd7f9 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-15T21:12:54.999854Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:26:35.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:42.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh"
},
{
"name": "https://github.com/Combodo/iTop/commit/09be84f69da0fe44221f63b8c2db041bdf7dd7f9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/09be84f69da0fe44221f63b8c2db041bdf7dd7f9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. When dashlet are refreshed, XSS attacks are possible. This vulnerability is fixed in 3.0.4 and 3.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:34:01.226Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh"
},
{
"name": "https://github.com/Combodo/iTop/commit/09be84f69da0fe44221f63b8c2db041bdf7dd7f9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/09be84f69da0fe44221f63b8c2db041bdf7dd7f9"
}
],
"source": {
"advisory": "GHSA-q9cm-q7fc-frxh",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to XSS vulnerability in dashlet refresh"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47622",
"datePublished": "2024-04-15T17:34:01.226Z",
"dateReserved": "2023-11-07T16:57:49.243Z",
"dateUpdated": "2024-08-02T21:16:42.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-4275
Vulnerability from cvelistv5
Published
2011-11-26 02:00
Modified
2024-08-07 00:01
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/520632 | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/archive/1/520632/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:01:51.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20111116 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/520632"
},
{
"name": "20111121 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/520632/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-11-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20111116 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/520632"
},
{
"name": "20111121 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/520632/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4275",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20111116 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/520632"
},
{
"name": "20111121 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/520632/100/0/threaded"
},
{
"name": "http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt",
"refsource": "MISC",
"url": "http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4275",
"datePublished": "2011-11-26T02:00:00",
"dateReserved": "2011-11-03T00:00:00",
"dateUpdated": "2024-08-07T00:01:51.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-39214
Vulnerability from cvelistv5
Published
2023-03-14 15:10
Modified
2024-08-03 12:00
Severity ?
EPSS score ?
Summary
Authenticated users of Combodo iTop can take over any account
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4 | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd | x_refsource_MISC | |
| https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4"
},
{
"name": "https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd"
},
{
"name": "https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.2-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account\u0027s username. This issue is fixed in versions 2.7.8 and 3.0.2-1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-14T15:10:47.933Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4"
},
{
"name": "https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd"
},
{
"name": "https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa"
}
],
"source": {
"advisory": "GHSA-vj96-j84g-jhx4",
"discovery": "UNKNOWN"
},
"title": "Authenticated users of Combodo iTop can take over any account"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39214",
"datePublished": "2023-03-14T15:10:47.933Z",
"dateReserved": "2022-09-02T14:16:35.821Z",
"dateUpdated": "2024-08-03T12:00:43.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32775
Vulnerability from cvelistv5
Published
2021-07-21 20:20
Modified
2024-08-03 23:33
Severity ?
EPSS score ?
Summary
Any user can see any fields (including mailbox password) with GroupBy Dashlet
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:56.079Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/field values through GroupBy Dashlet error message. This issue is fixed in versions 2.7.4 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-21T20:20:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq"
}
],
"source": {
"advisory": "GHSA-xh7w-rrp3-fhpq",
"discovery": "UNKNOWN"
},
"title": " Any user can see any fields (including mailbox password) with GroupBy Dashlet",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32775",
"STATE": "PUBLIC",
"TITLE": " Any user can see any fields (including mailbox password) with GroupBy Dashlet"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.4"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/field values through GroupBy Dashlet error message. This issue is fixed in versions 2.7.4 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-209: Generation of Error Message Containing Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq"
}
]
},
"source": {
"advisory": "GHSA-xh7w-rrp3-fhpq",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32775",
"datePublished": "2021-07-21T20:20:09",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:33:56.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-34444
Vulnerability from cvelistv5
Published
2024-11-04 23:30
Modified
2024-11-05 16:31
Severity ?
EPSS score ?
Summary
Cross-site Scripting vulnerability on pages/ajax.searchform.php in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-rwx9-rcxf-qrwv | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.4",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:30:36.580534Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:31:24.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.9"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.searchform.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:30:21.686Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-rwx9-rcxf-qrwv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-rwx9-rcxf-qrwv"
}
],
"source": {
"advisory": "GHSA-rwx9-rcxf-qrwv",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability on pages/ajax.searchform.php in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-34444",
"datePublished": "2024-11-04T23:30:21.686Z",
"dateReserved": "2023-06-06T16:16:53.557Z",
"dateUpdated": "2024-11-05T16:31:24.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47489
Vulnerability from cvelistv5
Published
2023-11-09 00:00
Modified
2024-08-02 21:09
Severity ?
EPSS score ?
Summary
CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute arbitrary code via a crafted script to the export-v2.php and ajax.render.php components.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:09:37.351Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugplorer.github.io/cve-csv-itop/"
},
{
"tags": [
"x_transferred"
],
"url": "https://nitipoom-jar.github.io/CVE-2023-47489/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute arbitrary code via a crafted script to the export-v2.php and ajax.render.php components."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-11T22:40:43.302019",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugplorer.github.io/cve-csv-itop/"
},
{
"url": "https://nitipoom-jar.github.io/CVE-2023-47489/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-47489",
"datePublished": "2023-11-09T00:00:00",
"dateReserved": "2023-11-06T00:00:00",
"dateUpdated": "2024-08-02T21:09:37.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-51739
Vulnerability from cvelistv5
Published
2024-11-05 18:11
Modified
2024-11-05 18:50
Severity ?
EPSS score ?
Summary
Users enumeration allowed through Rest API in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-2hmf-p27w-phf9 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.11",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.5",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.1.2",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51739",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T18:44:44.280050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:50:23.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.11"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.5"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This fix is included in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. Users unable to upgrade may overload the dictionary entry `\"UI:ResetPwd-Error-WrongLogin\"` through an extension and replace it with a generic message."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T18:11:37.244Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-2hmf-p27w-phf9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-2hmf-p27w-phf9"
}
],
"source": {
"advisory": "GHSA-2hmf-p27w-phf9",
"discovery": "UNKNOWN"
},
"title": "Users enumeration allowed through Rest API in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51739",
"datePublished": "2024-11-05T18:11:37.244Z",
"dateReserved": "2024-10-31T14:12:45.789Z",
"dateUpdated": "2024-11-05T18:50:23.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-38511
Vulnerability from cvelistv5
Published
2024-04-15 17:06
Modified
2024-08-02 17:46
Severity ?
EPSS score ?
Summary
iTop Dashboard editor vulnerable dashboard config file parameter
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7 | x_refsource_MISC | |
| https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab | x_refsource_MISC | |
| https://www.synacktiv.com/advisories/file-read-in-itop | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38511",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-17T20:37:20.591801Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:28:15.955Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:46:56.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm"
},
{
"name": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7"
},
{
"name": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab"
},
{
"name": "https://www.synacktiv.com/advisories/file-read-in-itop",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.synacktiv.com/advisories/file-read-in-itop"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:08:27.830Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm"
},
{
"name": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7"
},
{
"name": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab"
},
{
"name": "https://www.synacktiv.com/advisories/file-read-in-itop",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.synacktiv.com/advisories/file-read-in-itop"
}
],
"source": {
"advisory": "GHSA-323r-chx5-m9gm",
"discovery": "UNKNOWN"
},
"title": "iTop Dashboard editor vulnerable dashboard config file parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-38511",
"datePublished": "2024-04-15T17:06:35.666Z",
"dateReserved": "2023-07-18T16:28:12.078Z",
"dateUpdated": "2024-08-02T17:46:56.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45808
Vulnerability from cvelistv5
Published
2024-04-15 17:28
Modified
2024-08-02 20:29
Severity ?
EPSS score ?
Summary
iTop missing silo check on extkey in console and portal
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7 | x_refsource_MISC | |
| https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45808",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-15T18:04:10.401346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:19:57.785Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh"
},
{
"name": "https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7"
},
{
"name": "https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.10"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.4"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. When creating or updating an object, extkey values aren\u0027t checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:28:41.058Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh"
},
{
"name": "https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7"
},
{
"name": "https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385"
}
],
"source": {
"advisory": "GHSA-245j-66p9-pwmh",
"discovery": "UNKNOWN"
},
"title": "iTop missing silo check on extkey in console and portal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45808",
"datePublished": "2024-04-15T17:28:41.058Z",
"dateReserved": "2023-10-13T12:00:50.436Z",
"dateUpdated": "2024-08-02T20:29:32.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-51993
Vulnerability from cvelistv5
Published
2024-11-07 17:59
Modified
2024-11-07 18:32
Severity ?
EPSS score ?
Summary
Password is stored in clear in the database in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-9mq5-349x-x427 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T18:32:31.429198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T18:32:36.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. An attacker accessing a backup file or the database can read some passwords for misconfigured Users. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. Users unable to upgrade are advised to encrypt their backups independently of the iTop application.\n\n### Patches\nSanitize parameter\n\n### References\nN\u00b07631 - Password is stored in clear in the database."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T17:59:18.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9mq5-349x-x427",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9mq5-349x-x427"
}
],
"source": {
"advisory": "GHSA-9mq5-349x-x427",
"discovery": "UNKNOWN"
},
"title": "Password is stored in clear in the database in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51993",
"datePublished": "2024-11-07T17:59:18.617Z",
"dateReserved": "2024-11-04T17:46:16.776Z",
"dateUpdated": "2024-11-07T18:32:36.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-51995
Vulnerability from cvelistv5
Published
2024-11-07 17:55
Modified
2024-11-07 18:16
Severity ?
EPSS score ?
Summary
Logic bug in ajax.render.php allows for bypass of 'backOffice' access control in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-3mxr-8r3j-j2j9 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51995",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T18:16:46.169964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T18:16:51.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. An attacker can request any `route` we want as long as we specify an `operation` that is allowed. This issue has been addressed in version 3.2.0 by applying the same access control pattern as in `UI.php` to the `ajax.render.php` page which does not allow arbitrary `routes` to be dispatched. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T17:55:15.598Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-3mxr-8r3j-j2j9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-3mxr-8r3j-j2j9"
}
],
"source": {
"advisory": "GHSA-3mxr-8r3j-j2j9",
"discovery": "UNKNOWN"
},
"title": "Logic bug in ajax.render.php allows for bypass of \u0027backOffice\u0027 access control in Combodo iTop"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51995",
"datePublished": "2024-11-07T17:55:15.598Z",
"dateReserved": "2024-11-04T17:46:16.776Z",
"dateUpdated": "2024-11-07T18:16:51.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15221
Vulnerability from cvelistv5
Published
2021-01-13 17:10
Modified
2024-08-04 13:08
Severity ?
EPSS score ?
Summary
XSS in the breadcrumbs
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:23.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-13T17:10:15",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw"
}
],
"source": {
"advisory": "GHSA-w6g2-p7pf-7hvw",
"discovery": "UNKNOWN"
},
"title": "XSS in the breadcrumbs",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15221",
"STATE": "PUBLIC",
"TITLE": "XSS in the breadcrumbs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw"
}
]
},
"source": {
"advisory": "GHSA-w6g2-p7pf-7hvw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15221",
"datePublished": "2021-01-13T17:10:15",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:23.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41162
Vulnerability from cvelistv5
Published
2022-04-21 16:45
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
Cross-site Scripting in Combodo iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95 | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-beta, \u003c 3.0.0-beta6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-21T16:45:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0"
}
],
"source": {
"advisory": "GHSA-w5jw-hfvp-gx95",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in Combodo iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41162",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting in Combodo iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003e= 3.0.0-beta, \u003c 3.0.0-beta6"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95"
},
{
"name": "https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0"
}
]
},
"source": {
"advisory": "GHSA-w5jw-hfvp-gx95",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41162",
"datePublished": "2022-04-21T16:45:13",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-32870
Vulnerability from cvelistv5
Published
2024-11-04 23:36
Modified
2024-11-05 16:26
Severity ?
EPSS score ?
Summary
iTop hub connector Information disclosure
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-rfjh-2f5x-qxmx | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"lessThan": "2.7.11",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "3.0.5",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.2",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:25:00.433322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:26:44.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.11"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.5"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a simple, web based IT Service Management tool. Server, OS, DBMS, PHP, and iTop info (name, version and parameters) can be read by anyone having access to iTop URI. This issue has been patched in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T23:36:46.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-rfjh-2f5x-qxmx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-rfjh-2f5x-qxmx"
}
],
"source": {
"advisory": "GHSA-rfjh-2f5x-qxmx",
"discovery": "UNKNOWN"
},
"title": "iTop hub connector Information disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32870",
"datePublished": "2024-11-04T23:36:46.265Z",
"dateReserved": "2024-04-19T14:07:11.229Z",
"dateUpdated": "2024-11-05T16:26:44.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13966
Vulnerability from cvelistv5
Published
2020-02-14 21:02
Modified
2024-08-05 00:05
Severity ?
EPSS score ?
Summary
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log | x_refsource_MISC | |
| https://0day.love/itop_vulnerabilities_disclosure.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:05:44.079Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-14T21:02:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13966",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log",
"refsource": "MISC",
"url": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log"
},
{
"name": "https://0day.love/itop_vulnerabilities_disclosure.pdf",
"refsource": "MISC",
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13966",
"datePublished": "2020-02-14T21:02:47",
"dateReserved": "2019-07-18T00:00:00",
"dateUpdated": "2024-08-05T00:05:44.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-31402
Vulnerability from cvelistv5
Published
2022-06-10 16:47
Modified
2024-08-03 07:19
Severity ?
EPSS score ?
Summary
ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://sourceforge.net/projects/itop/ | x_refsource_MISC | |
| https://www.itophub.io/ | x_refsource_MISC | |
| https://github.com/YavuzSahbaz/CVE-2022-31402/blob/main/iTop%203.0.1%20XSS%20Vulnerability | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:19:05.685Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/itop/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.itophub.io/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/YavuzSahbaz/CVE-2022-31402/blob/main/iTop%203.0.1%20XSS%20Vulnerability"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-10T16:47:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/itop/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.itophub.io/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/YavuzSahbaz/CVE-2022-31402/blob/main/iTop%203.0.1%20XSS%20Vulnerability"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31402",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sourceforge.net/projects/itop/",
"refsource": "MISC",
"url": "https://sourceforge.net/projects/itop/"
},
{
"name": "https://www.itophub.io/",
"refsource": "MISC",
"url": "https://www.itophub.io/"
},
{
"name": "https://github.com/YavuzSahbaz/CVE-2022-31402/blob/main/iTop%203.0.1%20XSS%20Vulnerability",
"refsource": "MISC",
"url": "https://github.com/YavuzSahbaz/CVE-2022-31402/blob/main/iTop%203.0.1%20XSS%20Vulnerability"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-31402",
"datePublished": "2022-06-10T16:47:00",
"dateReserved": "2022-05-23T00:00:00",
"dateUpdated": "2024-08-03T07:19:05.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-47123
Vulnerability from cvelistv5
Published
2024-04-15 17:31
Modified
2024-08-02 21:01
Severity ?
EPSS score ?
Summary
iTop vulnerable to XSS vulnerability in n:n relations "tagset" widget
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"status": "unknown",
"version": "3.1.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:combodo:itop:*:*:*:*:-:*:*:*"
],
"defaultStatus": "unknown",
"product": "itop",
"vendor": "combodo",
"versions": [
{
"status": "unknown",
"version": "3.2.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-47123",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-19T21:03:01.075263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:26:44.001Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:01:22.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp"
},
{
"name": "https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an IT service management platform. By filling malicious code in an object friendlyname / complementary name, an XSS attack can be performed when this object will displayed as an n:n relation item in another object. This vulnerability is fixed in 3.1.1 and 3.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T17:31:21.407Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp"
},
{
"name": "https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72"
}
],
"source": {
"advisory": "GHSA-mx8x-693w-9hjp",
"discovery": "UNKNOWN"
},
"title": "iTop vulnerable to XSS vulnerability in n:n relations \"tagset\" widget"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-47123",
"datePublished": "2024-04-15T17:31:21.407Z",
"dateReserved": "2023-10-30T19:57:51.676Z",
"dateUpdated": "2024-08-02T21:01:22.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-4079
Vulnerability from cvelistv5
Published
2021-01-12 19:20
Modified
2024-08-04 07:52
Severity ?
EPSS score ?
Summary
Information disclosure vulnerability in iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-vcv9-xp3j-7jwh | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.880Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vcv9-xp3j-7jwh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the \"excel export\" portal functionality is called directly it allows getting data without scope filtering. This allows a user to access data they which they should not have access to. This is fixed in versions 2.7.2 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-12T19:20:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vcv9-xp3j-7jwh"
}
],
"source": {
"advisory": "GHSA-vcv9-xp3j-7jwh",
"discovery": "UNKNOWN"
},
"title": "Information disclosure vulnerability in iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-4079",
"STATE": "PUBLIC",
"TITLE": "Information disclosure vulnerability in iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the \"excel export\" portal functionality is called directly it allows getting data without scope filtering. This allows a user to access data they which they should not have access to. This is fixed in versions 2.7.2 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-vcv9-xp3j-7jwh",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-vcv9-xp3j-7jwh"
}
]
},
"source": {
"advisory": "GHSA-vcv9-xp3j-7jwh",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-4079",
"datePublished": "2021-01-12T19:20:14",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-08-04T07:52:20.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15220
Vulnerability from cvelistv5
Published
2021-01-13 17:05
Modified
2024-08-04 13:08
Severity ?
EPSS score ?
Summary
Session fixation
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-qw4q-cmcv-7vv2 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qw4q-cmcv-7vv2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-13T17:05:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qw4q-cmcv-7vv2"
}
],
"source": {
"advisory": "GHSA-qw4q-cmcv-7vv2",
"discovery": "UNKNOWN"
},
"title": "Session fixation",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15220",
"STATE": "PUBLIC",
"TITLE": "Session fixation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same session, which leads to a possibility to steal user session. This is fixed in versions 2.7.2 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-qw4q-cmcv-7vv2",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qw4q-cmcv-7vv2"
}
]
},
"source": {
"advisory": "GHSA-qw4q-cmcv-7vv2",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15220",
"datePublished": "2021-01-13T17:05:17",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-39216
Vulnerability from cvelistv5
Published
2023-03-14 15:10
Modified
2024-08-03 12:00
Severity ?
EPSS score ?
Summary
Combodo iTop's weak password reset token leads to account takeover
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229 | x_refsource_MISC | |
| https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:42.541Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm"
},
{
"name": "https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229"
},
{
"name": "https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.2-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-14T15:10:51.815Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm"
},
{
"name": "https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229"
},
{
"name": "https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b"
}
],
"source": {
"advisory": "GHSA-hggq-48p2-cmhm",
"discovery": "UNKNOWN"
},
"title": "Combodo iTop\u0027s weak password reset token leads to account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39216",
"datePublished": "2023-03-14T15:10:51.815Z",
"dateReserved": "2022-09-02T14:16:35.822Z",
"dateUpdated": "2024-08-03T12:00:42.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-6544
Vulnerability from cvelistv5
Published
2018-02-20 20:00
Modified
2024-08-06 07:22
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title.
References
| ▼ | URL | Tags |
|---|---|---|
| http://sourceforge.net/p/itop/code/3662/ | x_refsource_CONFIRM | |
| https://www.htbridge.com/advisory/HTB23268 | x_refsource_MISC | |
| http://sourceforge.net/p/itop/tickets/1114/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:22:22.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sourceforge.net/p/itop/code/3662/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23268"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sourceforge.net/p/itop/tickets/1114/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-07-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-20T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sourceforge.net/p/itop/code/3662/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23268"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sourceforge.net/p/itop/tickets/1114/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6544",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://sourceforge.net/p/itop/code/3662/",
"refsource": "CONFIRM",
"url": "http://sourceforge.net/p/itop/code/3662/"
},
{
"name": "https://www.htbridge.com/advisory/HTB23268",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23268"
},
{
"name": "http://sourceforge.net/p/itop/tickets/1114/",
"refsource": "CONFIRM",
"url": "http://sourceforge.net/p/itop/tickets/1114/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6544",
"datePublished": "2018-02-20T20:00:00",
"dateReserved": "2015-08-20T00:00:00",
"dateUpdated": "2024-08-06T07:22:22.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-11696
Vulnerability from cvelistv5
Published
2020-06-05 21:12
Modified
2024-08-04 11:35
Severity ?
EPSS score ?
Summary
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3Achange_log | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/security/advisories/GHSA-4h6p-jghj-8qxm | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:35:13.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3Achange_log"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-4h6p-jghj-8qxm"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-06-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-05T21:12:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3Achange_log"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-4h6p-jghj-8qxm"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-11696",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3Achange_log",
"refsource": "CONFIRM",
"url": "https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3Achange_log"
},
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-4h6p-jghj-8qxm",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-4h6p-jghj-8qxm"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-11696",
"datePublished": "2020-06-05T21:12:55",
"dateReserved": "2020-04-10T00:00:00",
"dateUpdated": "2024-08-04T11:35:13.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15218
Vulnerability from cvelistv5
Published
2021-01-13 16:50
Modified
2024-08-04 13:08
Severity ?
EPSS score ?
Summary
Admin pages are cached and can be embedded
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-3m3g-86hp-5p2j | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-3m3g-86hp-5p2j"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-13T16:50:12",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-3m3g-86hp-5p2j"
}
],
"source": {
"advisory": "GHSA-3m3g-86hp-5p2j",
"discovery": "UNKNOWN"
},
"title": "Admin pages are cached and can be embedded",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15218",
"STATE": "PUBLIC",
"TITLE": "Admin pages are cached and can be embedded"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613 Insufficient Session Expiration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-3m3g-86hp-5p2j",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-3m3g-86hp-5p2j"
}
]
},
"source": {
"advisory": "GHSA-3m3g-86hp-5p2j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15218",
"datePublished": "2021-01-13T16:50:12",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-41161
Vulnerability from cvelistv5
Published
2022-04-21 16:35
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
XSS in csvimport in 3.0.0-beta versions
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.0-beta6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don\u0027t properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-21T16:35:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22"
}
],
"source": {
"advisory": "GHSA-788f-g6g9-f8fc",
"discovery": "UNKNOWN"
},
"title": "XSS in csvimport in 3.0.0-beta versions",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41161",
"STATE": "PUBLIC",
"TITLE": "XSS in csvimport in 3.0.0-beta versions"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 3.0.0-beta6"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don\u0027t properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc"
},
{
"name": "https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22"
}
]
},
"source": {
"advisory": "GHSA-788f-g6g9-f8fc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41161",
"datePublished": "2022-04-21T16:35:10",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-15219
Vulnerability from cvelistv5
Published
2021-01-13 16:55
Modified
2024-08-04 13:08
Severity ?
EPSS score ?
Summary
SQL query displayed on portal error
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-q5cf-46rg-frf8 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q5cf-46rg-frf8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, when a download error is triggered in the user portal, an SQL query is displayed to the user. This is fixed in versions 2.7.2 and 3.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Information Exposure Through an Error Message",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-13T16:55:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q5cf-46rg-frf8"
}
],
"source": {
"advisory": "GHSA-q5cf-46rg-frf8",
"discovery": "UNKNOWN"
},
"title": "SQL query displayed on portal error",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15219",
"STATE": "PUBLIC",
"TITLE": "SQL query displayed on portal error"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.7.2"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, when a download error is triggered in the user portal, an SQL query is displayed to the user. This is fixed in versions 2.7.2 and 3.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-209 Information Exposure Through an Error Message"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-q5cf-46rg-frf8",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-q5cf-46rg-frf8"
}
]
},
"source": {
"advisory": "GHSA-q5cf-46rg-frf8",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15219",
"datePublished": "2021-01-13T16:55:17",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-32663
Vulnerability from cvelistv5
Published
2021-10-19 17:40
Modified
2024-08-03 23:25
Severity ?
EPSS score ?
Summary
Unauthorized setup leads to SSRF in Combodo/iTop
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9 | x_refsource_CONFIRM | |
| https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807 | x_refsource_MISC | |
| https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.5"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-19T17:40:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec"
}
],
"source": {
"advisory": "GHSA-ghqc-r8f6-q9m9",
"discovery": "UNKNOWN"
},
"title": "Unauthorized setup leads to SSRF in Combodo/iTop",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32663",
"STATE": "PUBLIC",
"TITLE": "Unauthorized setup leads to SSRF in Combodo/iTop"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTop",
"version": {
"version_data": [
{
"version_value": "\u003c 2.6.5"
},
{
"version_value": "\u003e= 2.7.0, \u003c 2.7.5"
}
]
}
}
]
},
"vendor_name": "Combodo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918: Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9",
"refsource": "CONFIRM",
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9"
},
{
"name": "https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807"
},
{
"name": "https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec",
"refsource": "MISC",
"url": "https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec"
}
]
},
"source": {
"advisory": "GHSA-ghqc-r8f6-q9m9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32663",
"datePublished": "2021-10-19T17:40:11",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-13965
Vulnerability from cvelistv5
Published
2020-02-14 21:01
Modified
2024-08-05 00:05
Severity ?
EPSS score ?
Summary
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log | x_refsource_MISC | |
| https://0day.love/itop_vulnerabilities_disclosure.pdf | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:05:44.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-14T21:01:42",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-13965",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log",
"refsource": "MISC",
"url": "https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log"
},
{
"name": "https://0day.love/itop_vulnerabilities_disclosure.pdf",
"refsource": "MISC",
"url": "https://0day.love/itop_vulnerabilities_disclosure.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-13965",
"datePublished": "2020-02-14T21:01:42",
"dateReserved": "2019-07-18T00:00:00",
"dateUpdated": "2024-08-05T00:05:44.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}