CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-44396 – iTop vulnerable to XSS in dashlet modifications ajax endpoints
https://notcve.org/view.php?id=CVE-2023-44396
iTop is an IT service management platform. Dashlet edits ajax endpoints can be used to produce XSS. Fixed in iTop 2.7.10, 3.0.4, and 3.1.1. iTop es una plataforma de gestión de servicios de TI. Dashlet edita los endpoints ajax y se puede utilizar para producir XSS. Corregido en iTop 2.7.10, 3.0.4 y 3.1.1. • https://github.com/Combodo/iTop/commit/9df92665e08c4bf5d4d8a5a9fe21fd3fb26fb273 https://github.com/Combodo/iTop/commit/c72cb7e70ebf469ce0ec01f5f9b524e39afe6c7f https://github.com/Combodo/iTop/security/advisories/GHSA-gqqj-jgh6-3x35 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38511 – iTop Dashboard editor vulnerable dashboard config file parameter
https://notcve.org/view.php?id=CVE-2023-38511
iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1. iTop es una plataforma de gestión de servicios de TI. Editor de panel: puede cargar varios archivos y URL, y revelar la ruta completa en el archivo de configuración del panel. Esta vulnerabilidad se solucionó en 3.0.4 y 3.1.1. • https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7 https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm https://www.synacktiv.com/advisories/file-read-in-itop • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47488
https://notcve.org/view.php?id=CVE-2023-47488
Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a crafted script to the attrib_manager_id parameter in the General Information page and the id parameter in the contact page. Vulnerabilidad de Cross-Site Scripting en Combodo iTop v.3.1.0-2-11973 permite a un atacante local obtener información sensible a través de un script manipulado para el parámetro attrib_manager_id en la página de información general y el parámetro id en la página de contacto. • https://github.com/nitipoom-jar/CVE-2023-47488 https://bugplorer.github.io/cve-xss-itop https://nitipoom-jar.github.io/CVE-2023-47488 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47489
https://notcve.org/view.php?id=CVE-2023-47489
CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute arbitrary code via a crafted script to the export-v2.php and ajax.render.php components. Un problema en Combodo iTop v.3.1.0-2-11973 permite a un atacante local ejecutar código arbitrario a través de un script manipulado en los componentes export-v2.php y ajax.render.php. • https://github.com/nitipoom-jar/CVE-2023-47489 https://bugplorer.github.io/cve-csv-itop https://nitipoom-jar.github.io/CVE-2023-47489 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34447 – iTop XSS vulnerability on pages/UI.php
https://notcve.org/view.php?id=CVE-2023-34447
iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, on `pages/UI.php`, cross site scripting is possible. This issue is fixed in versions 3.0.4 and 3.1.0. iTop es una plataforma de gestión de servicios de TI basada en web y de código abierto. Antes de las versiones 3.0.4 y 3.1.0, en `pages/UI.php`, era posible realizar Cross-Site Scripting (XSS). Este problema se solucionó en las versiones 3.0.4 y 3.1.0. • https://github.com/Combodo/iTop/commit/519751faa10b2fc5b75ea4516a1b8ef13ca35b33 https://github.com/Combodo/iTop/commit/b8f61362f570e1ef8127175331012b7fc8aba802 https://github.com/Combodo/iTop/security/advisories/GHSA-6rfm-2rwg-mj7p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •