CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51995 – Logic bug in ajax.render.php allows for bypass of 'backOffice' access control in Combodo iTop
https://notcve.org/view.php?id=CVE-2024-51995
Combodo iTop is a web based IT Service Management tool. An attacker can request any `route` we want as long as we specify an `operation` that is allowed. This issue has been addressed in version 3.2.0 by applying the same access control pattern as in `UI.php` to the `ajax.render.php` page which does not allow arbitrary `routes` to be dispatched. All users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/Combodo/iTop/security/advisories/GHSA-3mxr-8r3j-j2j9 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-51740 – SSRF through arbitrary PHP class instantiation in the user portal in Combodo iTop
https://notcve.org/view.php?id=CVE-2024-51740
Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf of the server, from a low privileged user. The user portal form manager has been fixed to only instantiate classes derived from it. This issue has been addressed in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. • https://github.com/Combodo/iTop/security/advisories/GHSA-w9g8-mxm5-ph62 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-51739 – Users enumeration allowed through Rest API in Combodo iTop
https://notcve.org/view.php?id=CVE-2024-51739
Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This fix is included in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. • https://github.com/Combodo/iTop/security/advisories/GHSA-2hmf-p27w-phf9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-32870 – iTop hub connector Information disclosure
https://notcve.org/view.php?id=CVE-2024-32870
Combodo iTop is a simple, web based IT Service Management tool. Server, OS, DBMS, PHP, and iTop info (name, version and parameters) can be read by anyone having access to iTop URI. This issue has been patched in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/Combodo/iTop/security/advisories/GHSA-rfjh-2f5x-qxmx • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31998 – CSRF security issue on CSV import in Combodo iTop
https://notcve.org/view.php?id=CVE-2024-31998
Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/Combodo/iTop/security/advisories/GHSA-8cwx-q4xh-7c7r • CWE-352: Cross-Site Request Forgery (CSRF) •