CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31448 – Cross-site Scripting vulnerability in link CSV import in Combodo iTop
https://notcve.org/view.php?id=CVE-2024-31448
Combodo iTop is a simple, web based IT Service Management tool. By filling malicious code in a CSV content, an Cross-site Scripting (XSS) attack can be performed when importing this content. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. Users unable to upgrade should validate CSV content before importing it. • https://github.com/Combodo/iTop/security/advisories/GHSA-776w-x6v7-vfwf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-48710 – iTop limit pages/exec.php script to PHP files
https://notcve.org/view.php?id=CVE-2023-48710
iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won't be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0. iTop es una plataforma de gestión de servicios de TI. • https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26 https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 8.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-48709 – iTop vulnerable to potential formula injection in Excel/CSV export file
https://notcve.org/view.php?id=CVE-2023-48709
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0. iTop es una plataforma de gestión de servicios de TI. Al exportar datos desde el backoffice o el portal en archivos CSV o Excel, las entradas de los usuarios pueden incluir fórmulas maliciosas que pueden importarse a Excel. • https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47626 – iTop vulnerable to XSS vulnerability in authent-token
https://notcve.org/view.php?id=CVE-2023-47626
iTop is an IT service management platform. When displaying/editing the user's personal tokens, XSS attacks are possible. This vulnerability is fixed in 3.1.1. iTop es una plataforma de gestión de servicios de TI. Al mostrar/editar los tokens personales del usuario, los ataques XSS son posibles. Esta vulnerabilidad se soluciona en 3.1.1. • https://github.com/Combodo/iTop/security/advisories/GHSA-vv3v-9vrv-h95h • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-47622 – iTop vulnerable to XSS vulnerability in dashlet refresh
https://notcve.org/view.php?id=CVE-2023-47622
iTop is an IT service management platform. When dashlet are refreshed, XSS attacks are possible. This vulnerability is fixed in 3.0.4 and 3.1.1. iTop es una plataforma de gestión de servicios de TI. Cuando se actualizan los dashlet, es posible realizar ataques XSS. Esta vulnerabilidad se solucionó en 3.0.4 y 3.1.1. • https://github.com/Combodo/iTop/commit/09be84f69da0fe44221f63b8c2db041bdf7dd7f9 https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •