CVE-2021-41162 – Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2021-41162
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0 https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-24870 – Stored Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2022-24870
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3 https://huntr.dev/bounties/1625056040123-Combodo/iTop/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b https://www.github.com/combodo/itop/commit/ebbf6e56befda2070b00d68c7c3e531a6ce6b59e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-41161 – XSS in csvimport in 3.0.0-beta versions
https://notcve.org/view.php?id=CVE-2021-41161
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue. Combodo iTop es una herramienta de administración de servicios de TI basada en la web. • https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22 https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-24811 – Cross-site Scripting in Combodo iTop
https://notcve.org/view.php?id=CVE-2022-24811
Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds. Combodi iTop es una herramienta de Administración de Servicios de TI basada en la web. • https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4 https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc https://huntr.dev/bounties/1625056478879-Combodo/iTop • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-24780 – Code Injection in Combodo iTop
https://notcve.org/view.php?id=CVE-2022-24780
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds. Combodo iTop es una herramienta de Administración de Servicios de TI basada en la web. • https://github.com/Acceis/exploit-CVE-2022-24780 http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3 https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305 https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54 https://markus-krell.de/itop-template-injection-inside-customer-portal • CWE-94: Improper Control of Generation of Code ('Code Injection') •