CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39214 – Authenticated users of Combodo iTop can take over any account
https://notcve.org/view.php?id=CVE-2022-39214
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1. • https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4 • CWE-863: Incorrect Authorization •
CVSS: 9.3EPSS: 0%CPEs: 7EXPL: 0CVE-2021-41162 – Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2021-41162
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0 https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-41161 – XSS in csvimport in 3.0.0-beta versions
https://notcve.org/view.php?id=CVE-2021-41161
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue. Combodo iTop es una herramienta de administración de servicios de TI basada en la web. • https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22 https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24811 – Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2022-24811
Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds. Combodi iTop es una herramienta de Administración de Servicios de TI basada en la web. • https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4 https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc https://huntr.dev/bounties/1625056478879-Combodo/iTop • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 12EXPL: 3CVE-2022-24780 – Code Injection in Combodo iTop
https://notcve.org/view.php?id=CVE-2022-24780
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds. Combodo iTop es una herramienta de Administración de Servicios de TI basada en la web. • https://github.com/Acceis/exploit-CVE-2022-24780 http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3 https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305 https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54 https://markus-krell.de/itop-template-injection-inside-customer-portal • CWE-94: Improper Control of Generation of Code ('Code Injection') •