CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10642
https://notcve.org/view.php?id=CVE-2018-10642
Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval(). Vulnerabilidad de inyección de comandos en Combodo iTop 2.4.1 permite que administradores remotos autenticados ejecuten comandos arbitrarios cambiando la configuración de la plataforma, ya que web/env-production/itop-config/config.php contiene una función llamada TestConfig() que llama a la función vulnerable eval(). • https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt https://sourceforge.net/p/itop/tickets/1585 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2015-6544 – iTop 2.1.0-2127 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-6544
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title. Vulnerabilidad de Cross-Site Scripting (XSS) en application/dashboard.class.inc.php en Combodo iTop en versiones anteriores a la 2.2.0-2459 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante un título de dashboard. iTop version 2.1.0-2127 suffers from a cross site scripting vulnerability. • http://sourceforge.net/p/itop/code/3662 http://sourceforge.net/p/itop/tickets/1114 https://www.htbridge.com/advisory/HTB23268 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •