NotCVE - vendor:"Combodo" product:"Itop" version:" > 2.0.2

Page 6 of 60 results (0.011 seconds)

CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0

CVE-2020-12777 – Combodo iTop - Broken Access Control

https://notcve.org/view.php?id=CVE-2020-12777

10 Aug 2020 — A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information. Una función en Combodo iTop contiene una vulnerabilidad de Control de Acceso Roto, que permite a un atacante no autorizado inyectar comandos y revelar información del sistema • https://github.com/Combodo/iTop/security/advisories/GHSA-88fq-r22m-64q2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

CVE-2020-11696

https://notcve.org/view.php?id=CVE-2020-11696

05 Jun 2020 — In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4. En Combodo iTop, un nombre de acceso directo de menú puede ser explotado con una carga de tipo XSS almacenado. Esto es corregido en todos los paquetes iTop (community, essential, professional) en la versión 2.7.0 y iTop essential e iTop professional en la versión 2.6.4 • https://github.com/Combodo/iTop/security/advisories/GHSA-4h6p-jghj-8qxm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

CVE-2020-11697

https://notcve.org/view.php?id=CVE-2020-11697

05 Jun 2020 — In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4. En Combodo iTop, los id del panel de control pueden ser explotados con una carga útil XSS reflexiva. Esto es corregido en todos los paquetes iTop (community, essential, professional) para la versión 2.7.0 y en los paquetes iTop essential e iTop professional para la versi... • https://github.com/Combodo/iTop/security/advisories/GHSA-xfh9-5632-hxmv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2019-19821

https://notcve.org/view.php?id=CVE-2019-19821

16 Mar 2020 — A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0 Una escalada de privilegios posterior a la autenticación en la aplicación web de Combodo iTop permite a los usuarios autenticados regulares acceder a ... • https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2019-13967

https://notcve.org/view.php?id=CVE-2019-13967

14 Feb 2020 — iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile URI. This only affects the community version. iTop versiones 2.2.0 hasta 2.6.0, permite a atacantes remotos causar una denegación de servicio (interrupción de aplicación) por medio de muchas peticiones para iniciar una operación de compilac... • https://0day.love/itop_vulnerabilities_disclosure.pdf •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2019-13966

https://notcve.org/view.php?id=CVE-2019-13966

14 Feb 2020 — In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title). En iTop versiones hasta 2.6.0, puede ser entregada una carga útil de tipo XSS en determinados campos (tal y como el icono) del archivo XML usado para construir el panel. Esto es similar a CVE-2015-6544 (que es solo sobre el título del panel). • https://0day.love/itop_vulnerabilities_disclosure.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2019-13965

https://notcve.org/view.php?id=CVE-2019-13965

14 Feb 2020 — Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability. Debido a la falta de ... • https://0day.love/itop_vulnerabilities_disclosure.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0

CVE-2019-11215

https://notcve.org/view.php?id=CVE-2019-11215

14 Feb 2020 — In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload. Many conditions can place the configuration file into a writable state: during installation; during upgrade; in certain cases, an error during modification of the file from the web interface leaves the file writable (can be triggered with XSS); a race condition can be triggered by the hub-connector module (community ve... • https://0day.love/itop_vulnerabilities_disclosure.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 7.2EPSS: 4%CPEs: 1EXPL: 1

CVE-2018-10642

https://notcve.org/view.php?id=CVE-2018-10642

02 May 2018 — Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval(). Vulnerabilidad de inyección de comandos en Combodo iTop 2.4.1 permite que administradores remotos autenticados ejecuten comandos arbitrarios cambiando la configuración de la plataforma, ya que web/env-production/... • https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 6.1EPSS: 51%CPEs: 1EXPL: 2

CVE-2015-6544 – iTop 2.1.0-2127 Cross Site Scripting

https://notcve.org/view.php?id=CVE-2015-6544

23 Sep 2015 — Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title. Vulnerabilidad de Cross-Site Scripting (XSS) en application/dashboard.class.inc.php en Combodo iTop en versiones anteriores a la 2.2.0-2459 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante un título de dashboard. iTop version 2.1.0-2127 suffers from a cross site scripting vulnerabi... • https://packetstorm.news/files/id/133675 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

1...4 5 6