CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38511 – iTop Dashboard editor vulnerable dashboard config file parameter
https://notcve.org/view.php?id=CVE-2023-38511
15 Apr 2024 — iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1. iTop es una plataforma de gestión de servicios de TI. Editor de panel: puede cargar varios archivos y URL, y revelar la ruta completa en el archivo de configuración del panel. Esta vulnerabilidad se solucionó en 3.0.4 y 3.1.1. • https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 3%CPEs: 1EXPL: 1CVE-2023-47488
https://notcve.org/view.php?id=CVE-2023-47488
09 Nov 2023 — Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a crafted script to the attrib_manager_id parameter in the General Information page and the id parameter in the contact page. Vulnerabilidad de Cross-Site Scripting en Combodo iTop v.3.1.0-2-11973 permite a un atacante local obtener información sensible a través de un script manipulado para el parámetro attrib_manager_id en la página de información general y el parámetro id en la pá... • https://github.com/nitipoom-jar/CVE-2023-47488 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47489
https://notcve.org/view.php?id=CVE-2023-47489
09 Nov 2023 — CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute arbitrary code via a crafted script to the export-v2.php and ajax.render.php components. Un problema en Combodo iTop v.3.1.0-2-11973 permite a un atacante local ejecutar código arbitrario a través de un script manipulado en los componentes export-v2.php y ajax.render.php. • https://github.com/nitipoom-jar/CVE-2023-47489 •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2023-34447 – iTop XSS vulnerability on pages/UI.php
https://notcve.org/view.php?id=CVE-2023-34447
25 Oct 2023 — iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, on `pages/UI.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0. iTop es una plataforma de gestión de servicios de TI basada en web y de código abierto. Antes de las versiones 3.0.4 y 3.1.0, en `pages/UI.php`, era posible realizar Cross-Site Scripting (XSS). Este problema se solucionó en las versiones 3.0.4 y 3.1.0. • https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34446 – iTop XSS vulnerability on pages/preferences.php
https://notcve.org/view.php?id=CVE-2023-34446
25 Oct 2023 — iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, when displaying `pages/preferences.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0. iTop es una plataforma de gestión de servicios de TI basada en web y de código abierto. Antes de las versiones 3.0.4 y 3.1.0, al mostrar `pages/preferences.php`, era posible realizar Cross-Site Scripting (XSS). Este problema se solucionó en las versiones 3.0.4 y 3.1.0. • https://github.com/Combodo/iTop/commit/e3ba826e5dfd3b724f1ee97bebfd20ded3c70b10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39216 – Combodo iTop's weak password reset token leads to account takeover
https://notcve.org/view.php?id=CVE-2022-39216
14 Mar 2023 — Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1. • https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229 • CWE-330: Use of Insufficiently Random Values •
CVSS: 9.6EPSS: 2%CPEs: 2EXPL: 0CVE-2022-39214 – Authenticated users of Combodo iTop can take over any account
https://notcve.org/view.php?id=CVE-2022-39214
14 Mar 2023 — Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1. • https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 2CVE-2022-31403
https://notcve.org/view.php?id=CVE-2022-31403
14 Jun 2022 — ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php. Se ha detectado que ITOP versión v3.0.1, contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio del archivo /itop/pages/ajax.render.php • https://github.com/IbrahimEkimIsik/CVE-2022-31403 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 10%CPEs: 1EXPL: 2CVE-2022-31402
https://notcve.org/view.php?id=CVE-2022-31402
10 Jun 2022 — ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php. Se ha detectado que ITOP versión v3.0.1 contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio del archivo /itop/webservices/export-v2.php • https://github.com/YavuzSahbaz/CVE-2022-31402 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 0%CPEs: 7EXPL: 0CVE-2021-41162 – Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2021-41162
21 Apr 2022 — Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •