CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10642
https://notcve.org/view.php?id=CVE-2018-10642
Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval(). Vulnerabilidad de inyección de comandos en Combodo iTop 2.4.1 permite que administradores remotos autenticados ejecuten comandos arbitrarios cambiando la configuración de la plataforma, ya que web/env-production/itop-config/config.php contiene una función llamada TestConfig() que llama a la función vulnerable eval(). • https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt https://sourceforge.net/p/itop/tickets/1585 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2015-6544 – iTop 2.1.0-2127 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-6544
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title. Vulnerabilidad de Cross-Site Scripting (XSS) en application/dashboard.class.inc.php en Combodo iTop en versiones anteriores a la 2.2.0-2459 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante un título de dashboard. iTop version 2.1.0-2127 suffers from a cross site scripting vulnerability. • http://sourceforge.net/p/itop/code/3662 http://sourceforge.net/p/itop/tickets/1114 https://www.htbridge.com/advisory/HTB23268 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 24EXPL: 0CVE-2013-0805
https://notcve.org/view.php?id=CVE-2013-0805
Multiple cross-site scripting (XSS) vulnerabilities in the search feature in iTop (aka IT Operations Portal) 2.0, 1.2.1, 1.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to pages/UI.php or (2) expression parameter to pages/run_query.php. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de XSS en la funcionalidad de búsqueda en iTop (también conocido como IT Operations Portal) 2.0, 1.2.1, 1.2 y anteriores permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través del (1) parámetro text hacia pages/UI.php o (2) parámetro expression hacia pages/run_query.php. NOTA: algunos de estos detalles se obtiene de información de terceras partes. • http://archives.neohapsis.com/archives/fulldisclosure/2013-01/0208.html http://osvdb.org/89574 http://packetstormsecurity.com/files/119767/iTop-Cross-Site-Scripting.html http://seclists.org/bugtraq/2013/Jan/102 http://secunia.com/advisories/51702 https://exchange.xforce.ibmcloud.com/vulnerabilities/81498 https://www.csnc.ch/misc/files/advisories/CVE-2013-0805.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 8CVE-2011-4275 – Open Flash Chart 2 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2011-4275
Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php. Múltiples Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en iTop (también conocido como IT Operations Portal) v1.1.181 y v1.2.0-RC-282 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) un nombre de compñía manipulado (2) un nombre de servidor de base de datos manipulada, (3) fichero CSV manipulado, (4) acción copiar-pegar manipulada, (5) el parámetro auth_user parameter en una acción suggest_pwd action sobre UI.php, (6) el parámetro c[menu] sobre universalSearch.php, (7) parámetro "description" en una acción searchFormToAdd_document_list sobre UI.php, (8) el parámetro "category" en una acción errors action sobre audit.php, o (9) parámetro suggest_pwd parameter sobre UI.php. • https://www.exploit-db.com/exploits/29210 https://www.exploit-db.com/exploits/24529 https://www.exploit-db.com/exploits/24969 https://www.exploit-db.com/exploits/24492 https://www.exploit-db.com/exploits/10532 https://www.exploit-db.com/exploits/29091 http://www.securityfocus.com/archive/1/520632 http://www.securityfocus.com/archive/1/520632/100/0/threaded http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •