CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13966
https://notcve.org/view.php?id=CVE-2019-13966
14 Feb 2020 — In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title). En iTop versiones hasta 2.6.0, puede ser entregada una carga útil de tipo XSS en determinados campos (tal y como el icono) del archivo XML usado para construir el panel. Esto es similar a CVE-2015-6544 (que es solo sobre el título del panel). • https://0day.love/itop_vulnerabilities_disclosure.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13965
https://notcve.org/view.php?id=CVE-2019-13965
14 Feb 2020 — Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability. Debido a la falta de ... • https://0day.love/itop_vulnerabilities_disclosure.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-11215
https://notcve.org/view.php?id=CVE-2019-11215
14 Feb 2020 — In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload. Many conditions can place the configuration file into a writable state: during installation; during upgrade; in certain cases, an error during modification of the file from the web interface leaves the file writable (can be triggered with XSS); a race condition can be triggered by the hub-connector module (community ve... • https://0day.love/itop_vulnerabilities_disclosure.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.2EPSS: 4%CPEs: 1EXPL: 1CVE-2018-10642
https://notcve.org/view.php?id=CVE-2018-10642
02 May 2018 — Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval(). Vulnerabilidad de inyección de comandos en Combodo iTop 2.4.1 permite que administradores remotos autenticados ejecuten comandos arbitrarios cambiando la configuración de la plataforma, ya que web/env-production/... • https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 51%CPEs: 1EXPL: 2CVE-2015-6544 – iTop 2.1.0-2127 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-6544
23 Sep 2015 — Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title. Vulnerabilidad de Cross-Site Scripting (XSS) en application/dashboard.class.inc.php en Combodo iTop en versiones anteriores a la 2.2.0-2459 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante un título de dashboard. iTop version 2.1.0-2127 suffers from a cross site scripting vulnerabi... • https://packetstorm.news/files/id/133675 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 24EXPL: 0CVE-2013-0805
https://notcve.org/view.php?id=CVE-2013-0805
20 Mar 2014 — Multiple cross-site scripting (XSS) vulnerabilities in the search feature in iTop (aka IT Operations Portal) 2.0, 1.2.1, 1.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to pages/UI.php or (2) expression parameter to pages/run_query.php. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de XSS en la funcionalidad de búsqueda en iTop (también conocido como IT Operations Portal) 2.0, 1.2.1, 1.2 y anteriore... • http://archives.neohapsis.com/archives/fulldisclosure/2013-01/0208.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 8CVE-2011-4275 – Open Flash Chart 2 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2011-4275
26 Nov 2011 — Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the categ... • https://www.exploit-db.com/exploits/29210 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •