CVSS: 7.4EPSS: 0%CPEs: 12EXPL: 0CVE-2020-12778 – Combodo iTop - Reflected XSS
https://notcve.org/view.php?id=CVE-2020-12778
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack. Combodo iTop no comprueba los parámetros ingresados, los atacantes pueden inyectar comandos maliciosos e iniciar un ataque de tipo XSS • https://github.com/Combodo/iTop/security/advisories/GHSA-8vpf-8vjh-5fcv https://www.twcert.org.tw/tw/cp-132-3834-591e2-1.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2020-12777 – Combodo iTop - Broken Access Control
https://notcve.org/view.php?id=CVE-2020-12777
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information. Una función en Combodo iTop contiene una vulnerabilidad de Control de Acceso Roto, que permite a un atacante no autorizado inyectar comandos y revelar información del sistema • https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2 https://www.twcert.org.tw/tw/cp-132-3833-46ae7-1.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-11696
https://notcve.org/view.php?id=CVE-2020-11696
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4. En Combodo iTop, un nombre de acceso directo de menú puede ser explotado con una carga de tipo XSS almacenado. Esto es corregido en todos los paquetes iTop (community, essential, professional) en la versión 2.7.0 y iTop essential e iTop professional en la versión 2.6.4 • https://github.com/Combodo/iTop/security/advisories/GHSA-4h6p-jghj-8qxm https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3Achange_log • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-11697
https://notcve.org/view.php?id=CVE-2020-11697
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4. En Combodo iTop, los id del panel de control pueden ser explotados con una carga útil XSS reflexiva. Esto es corregido en todos los paquetes iTop (community, essential, professional) para la versión 2.7.0 y en los paquetes iTop essential e iTop professional para la versión 2.6.4 • https://github.com/Combodo/iTop/security/advisories/GHSA-xfh9-5632-hxmv https://www.itophub.io/wiki/page?id=2_7_0%3Arelease%3A2_7_whats_new • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19821
https://notcve.org/view.php?id=CVE-2019-19821
A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0 Una escalada de privilegios posterior a la autenticación en la aplicación web de Combodo iTop permite a los usuarios autenticados regulares acceder a la información y modificarla con privilegios administrativos al no seguir el encabezado HTTP Location en las respuestas del servidor. Esto se soluciona en todos los paquetes iTop (comunidad, esencial, profesional) en las versiones: 2.5.4, 2.6.3, 2.7.0. • https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796 https://www.combodo.com/itop-193 https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combodo_itop • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •