CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39216 – Combodo iTop's weak password reset token leads to account takeover
https://notcve.org/view.php?id=CVE-2022-39216
14 Mar 2023 — Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1. • https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229 • CWE-330: Use of Insufficiently Random Values •
CVSS: 9.6EPSS: 2%CPEs: 2EXPL: 0CVE-2022-39214 – Authenticated users of Combodo iTop can take over any account
https://notcve.org/view.php?id=CVE-2022-39214
14 Mar 2023 — Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1. • https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 2CVE-2022-31403
https://notcve.org/view.php?id=CVE-2022-31403
14 Jun 2022 — ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php. Se ha detectado que ITOP versión v3.0.1, contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio del archivo /itop/pages/ajax.render.php • https://github.com/IbrahimEkimIsik/CVE-2022-31403 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 10%CPEs: 1EXPL: 2CVE-2022-31402
https://notcve.org/view.php?id=CVE-2022-31402
10 Jun 2022 — ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php. Se ha detectado que ITOP versión v3.0.1 contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio del archivo /itop/webservices/export-v2.php • https://github.com/YavuzSahbaz/CVE-2022-31402 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 0%CPEs: 7EXPL: 0CVE-2021-41162 – Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2021-41162
21 Apr 2022 — Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 2EXPL: 1CVE-2022-24870 – Stored Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2022-24870
21 Apr 2022 — Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-41161 – XSS in csvimport in 3.0.0-beta versions
https://notcve.org/view.php?id=CVE-2021-41161
21 Apr 2022 — Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue. Combodo iTop es una herramienta de administración de servicios de TI basada en la web. • https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24811 – Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2022-24811
05 Apr 2022 — Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds. Combodi iTop es una herramienta de Administración de Servicios de TI basada en la web. • https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 16%CPEs: 12EXPL: 4CVE-2022-24780 – Code Injection in Combodo iTop
https://notcve.org/view.php?id=CVE-2022-24780
05 Apr 2022 — Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds. Combodo iTop es una herramienta de Administración de Servicios de TI basada en la web. • https://packetstorm.news/files/id/167236 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41245 – Possible Cross-Site Request Forgery in Combodo iTop
https://notcve.org/view.php?id=CVE-2021-41245
05 Apr 2022 — Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by `privUITransactionFile` aren't properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop config file. Combodo iTop es una herramienta de administración de servicios de TI basada en la web. • https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186 • CWE-352: Cross-Site Request Forgery (CSRF) •