CVSS: 8.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-48709 – iTop vulnerable to potential formula injection in Excel/CSV export file
https://notcve.org/view.php?id=CVE-2023-48709
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0. iTop es una plataforma de gestión de servicios de TI. Al exportar datos desde el backoffice o el portal en archivos CSV o Excel, las entradas de los usuarios pueden incluir fórmulas maliciosas que pueden importarse a Excel. • https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47626 – iTop vulnerable to XSS vulnerability in authent-token
https://notcve.org/view.php?id=CVE-2023-47626
iTop is an IT service management platform. When displaying/editing the user's personal tokens, XSS attacks are possible. This vulnerability is fixed in 3.1.1. iTop es una plataforma de gestión de servicios de TI. Al mostrar/editar los tokens personales del usuario, los ataques XSS son posibles. Esta vulnerabilidad se soluciona en 3.1.1. • https://github.com/Combodo/iTop/security/advisories/GHSA-vv3v-9vrv-h95h • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-47622 – iTop vulnerable to XSS vulnerability in dashlet refresh
https://notcve.org/view.php?id=CVE-2023-47622
iTop is an IT service management platform. When dashlet are refreshed, XSS attacks are possible. This vulnerability is fixed in 3.0.4 and 3.1.1. iTop es una plataforma de gestión de servicios de TI. Cuando se actualizan los dashlet, es posible realizar ataques XSS. Esta vulnerabilidad se solucionó en 3.0.4 y 3.1.1. • https://github.com/Combodo/iTop/commit/09be84f69da0fe44221f63b8c2db041bdf7dd7f9 https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47123 – iTop vulnerable to XSS vulnerability in n:n relations "tagset" widget
https://notcve.org/view.php?id=CVE-2023-47123
iTop is an IT service management platform. By filling malicious code in an object friendlyname / complementary name, an XSS attack can be performed when this object will displayed as an n:n relation item in another object. This vulnerability is fixed in 3.1.1 and 3.2.0. iTop es una plataforma de gestión de servicios de TI. Al completar código malicioso en un nombre descriptivo/nombre complementario de un objeto, se puede realizar un ataque XSS cuando este objeto se muestra como un elemento de relación n:n en otro objeto. Esta vulnerabilidad se solucionó en 3.1.1 y 3.2.0. • https://github.com/Combodo/iTop/commit/34ba4fa0ce99534f751d9f170fe0eda103e20c72 https://github.com/Combodo/iTop/security/advisories/GHSA-mx8x-693w-9hjp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-45808 – iTop missing silo check on extkey in console and portal
https://notcve.org/view.php?id=CVE-2023-45808
iTop is an IT service management platform. When creating or updating an object, extkey values aren't checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0. iTop es una plataforma de gestión de servicios de TI. Al crear o actualizar un objeto, no se verifica que los valores de extkey estén en el silo de usuario actual. • https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7 https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385 https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh • CWE-639: Authorization Bypass Through User-Controlled Key •