CVSS: 6.4EPSS: 3%CPEs: 1EXPL: 1CVE-2023-47488
https://notcve.org/view.php?id=CVE-2023-47488
09 Nov 2023 — Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a crafted script to the attrib_manager_id parameter in the General Information page and the id parameter in the contact page. Vulnerabilidad de Cross-Site Scripting en Combodo iTop v.3.1.0-2-11973 permite a un atacante local obtener información sensible a través de un script manipulado para el parámetro attrib_manager_id en la página de información general y el parámetro id en la pá... • https://github.com/nitipoom-jar/CVE-2023-47488 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47489
https://notcve.org/view.php?id=CVE-2023-47489
09 Nov 2023 — CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute arbitrary code via a crafted script to the export-v2.php and ajax.render.php components. Un problema en Combodo iTop v.3.1.0-2-11973 permite a un atacante local ejecutar código arbitrario a través de un script manipulado en los componentes export-v2.php y ajax.render.php. • https://github.com/nitipoom-jar/CVE-2023-47489 •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2023-34447 – iTop XSS vulnerability on pages/UI.php
https://notcve.org/view.php?id=CVE-2023-34447
25 Oct 2023 — iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, on `pages/UI.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0. iTop es una plataforma de gestión de servicios de TI basada en web y de código abierto. Antes de las versiones 3.0.4 y 3.1.0, en `pages/UI.php`, era posible realizar Cross-Site Scripting (XSS). Este problema se solucionó en las versiones 3.0.4 y 3.1.0. • https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34446 – iTop XSS vulnerability on pages/preferences.php
https://notcve.org/view.php?id=CVE-2023-34446
25 Oct 2023 — iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, when displaying `pages/preferences.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0. iTop es una plataforma de gestión de servicios de TI basada en web y de código abierto. Antes de las versiones 3.0.4 y 3.1.0, al mostrar `pages/preferences.php`, era posible realizar Cross-Site Scripting (XSS). Este problema se solucionó en las versiones 3.0.4 y 3.1.0. • https://github.com/Combodo/iTop/commit/e3ba826e5dfd3b724f1ee97bebfd20ded3c70b10 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39216 – Combodo iTop's weak password reset token leads to account takeover
https://notcve.org/view.php?id=CVE-2022-39216
14 Mar 2023 — Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1. • https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229 • CWE-330: Use of Insufficiently Random Values •
CVSS: 9.6EPSS: 2%CPEs: 2EXPL: 0CVE-2022-39214 – Authenticated users of Combodo iTop can take over any account
https://notcve.org/view.php?id=CVE-2022-39214
14 Mar 2023 — Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1. • https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd • CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 2CVE-2022-31403
https://notcve.org/view.php?id=CVE-2022-31403
14 Jun 2022 — ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php. Se ha detectado que ITOP versión v3.0.1, contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio del archivo /itop/pages/ajax.render.php • https://github.com/IbrahimEkimIsik/CVE-2022-31403 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 10%CPEs: 1EXPL: 2CVE-2022-31402
https://notcve.org/view.php?id=CVE-2022-31402
10 Jun 2022 — ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php. Se ha detectado que ITOP versión v3.0.1 contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio del archivo /itop/webservices/export-v2.php • https://github.com/YavuzSahbaz/CVE-2022-31402 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 0%CPEs: 7EXPL: 0CVE-2021-41162 – Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2021-41162
21 Apr 2022 — Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 2EXPL: 1CVE-2022-24870 – Stored Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2022-24870
21 Apr 2022 — Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •