CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2020-4079 – Information disclosure vulnerability in iTop
https://notcve.org/view.php?id=CVE-2020-4079
12 Jan 2021 — Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the "excel export" portal functionality is called directly it allows getting data without scope filtering. This allows a user to access data they which they should not have access to. This is fixed in versions 2.7.2 and 3.0.0. Combodo iTop es una herramienta de IT Service Management basada en la web. • https://github.com/Combodo/iTop/security/advisories/GHSA-vcv9-xp3j-7jwh • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 12EXPL: 0CVE-2020-12781 – Combodo iTop - CSRF
https://notcve.org/view.php?id=CVE-2020-12781
10 Aug 2020 — Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery. Combodo iTop contiene una vulnerabilidad de tipo cross-site request forgery (CSRF), los atacantes pueden ejecutar comandos específicos por medio de la falsificación de peticiones de un sitio malicioso • https://github.com/Combodo/iTop/security/advisories/GHSA-34rq-vfmf-gg5v • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12780 – Combodo iTop - Security Misconfiguration
https://notcve.org/view.php?id=CVE-2020-12780
10 Aug 2020 — A security misconfiguration exists in Combodo iTop, which can expose sensitive information. Existe una configuración incorrecta de seguridad en Combodo iTop, que puede exponer información confidencial • https://github.com/Combodo/iTop/security/advisories/GHSA-97cw-cjxc-9x78 • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-12779 – Combodo iTop - Stored XSS
https://notcve.org/view.php?id=CVE-2020-12779
10 Aug 2020 — Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script. Combodo iTop contiene una vulnerabilidad de tipo Cross-site Scripting almacenado, que puede ser atacada mediante la carga de un archivo con un script malicioso • https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 12EXPL: 0CVE-2020-12778 – Combodo iTop - Reflected XSS
https://notcve.org/view.php?id=CVE-2020-12778
10 Aug 2020 — Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack. Combodo iTop no comprueba los parámetros ingresados, los atacantes pueden inyectar comandos maliciosos e iniciar un ataque de tipo XSS • https://github.com/Combodo/iTop/security/advisories/GHSA-8vpf-8vjh-5fcv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2020-12777 – Combodo iTop - Broken Access Control
https://notcve.org/view.php?id=CVE-2020-12777
10 Aug 2020 — A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information. Una función en Combodo iTop contiene una vulnerabilidad de Control de Acceso Roto, que permite a un atacante no autorizado inyectar comandos y revelar información del sistema • https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-11696
https://notcve.org/view.php?id=CVE-2020-11696
05 Jun 2020 — In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4. En Combodo iTop, un nombre de acceso directo de menú puede ser explotado con una carga de tipo XSS almacenado. Esto es corregido en todos los paquetes iTop (community, essential, professional) en la versión 2.7.0 y iTop essential e iTop professional en la versión 2.6.4 • https://github.com/Combodo/iTop/security/advisories/GHSA-4h6p-jghj-8qxm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-11697
https://notcve.org/view.php?id=CVE-2020-11697
05 Jun 2020 — In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4. En Combodo iTop, los id del panel de control pueden ser explotados con una carga útil XSS reflexiva. Esto es corregido en todos los paquetes iTop (community, essential, professional) para la versión 2.7.0 y en los paquetes iTop essential e iTop professional para la versi... • https://github.com/Combodo/iTop/security/advisories/GHSA-xfh9-5632-hxmv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19821
https://notcve.org/view.php?id=CVE-2019-19821
16 Mar 2020 — A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0 Una escalada de privilegios posterior a la autenticación en la aplicación web de Combodo iTop permite a los usuarios autenticados regulares acceder a ... • https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13967
https://notcve.org/view.php?id=CVE-2019-13967
14 Feb 2020 — iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile URI. This only affects the community version. iTop versiones 2.2.0 hasta 2.6.0, permite a atacantes remotos causar una denegación de servicio (interrupción de aplicación) por medio de muchas peticiones para iniciar una operación de compilac... • https://0day.love/itop_vulnerabilities_disclosure.pdf •