CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24969 – iTop portal user can see any other contact's picture
https://notcve.org/view.php?id=CVE-2025-24969
14 May 2025 — iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-52p7-7f8f-j7pc • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24785 – iTop dashboard vulnerable to denial of service
https://notcve.org/view.php?id=CVE-2025-24785
14 May 2025 — iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The next user trying to load this dashboard would encounter a crashed start page. Version 3.2.1 fixes the issue by checking the provided layout_class before saving the dashboard. • https://github.com/Combodo/iTop/security/advisories/GHSA-49rq-cgv9-7hv4 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24026 – iTop Inefficient Regular Expression Complexity vulnerability
https://notcve.org/view.php?id=CVE-2025-24026
14 May 2025 — iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS) that may, under some circumstances, affect iTop server. Version 3.2.1 doesn't use the affected variable in the regular expression. As a workaround, if iTop app_root_url is defined in the configuration file, then there is no possible way to exploit this ReDoS. • https://github.com/Combodo/iTop/security/advisories/GHSA-9g7f-jmc3-rrmf • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24022 – iTop server vulnerable to portal code injection
https://notcve.org/view.php?id=CVE-2025-24022
14 May 2025 — iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1. • https://github.com/Combodo/iTop/security/advisories/GHSA-rhv2-wfrr-4j2j • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-24021 – iTop doesn't have mass assignment of fields in the portal form
https://notcve.org/view.php?id=CVE-2025-24021
14 May 2025 — iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-56157 – iTop vulnerable to Self XSS in CSV Import
https://notcve.org/view.php?id=CVE-2024-56157
14 May 2025 — iTop is an web based IT Service Management tool. Prior to versions 3.1.3 and 3.2.1, by filling malicious code in a CSV content, a cross-site scripting attack can be performed when importing this content. The issue is fixed in versions 3.1.3 and 3.2.1. As a workaround, check CSV content before importing it. • https://github.com/Combodo/iTop/security/advisories/GHSA-6p48-74j9-977j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-52601 – iTop portal Insecure Direct Object Reference vulnerability
https://notcve.org/view.php?id=CVE-2024-52601
14 May 2025 — iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they're not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-cph2-466c-3f87 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-27139 – Combodo iTop vulnerable to stored self Cross-site Scripting in preferences
https://notcve.org/view.php?id=CVE-2025-27139
25 Feb 2025 — Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 are vulnerable to cross-site scripting when the preferences page is opened. Versions 2.7.12, 3.1.2, and 3.2.0 fix the issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-c6mg-9537-c8cf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-54139 – Combodo iTop vulnerable to XSS leading to CSRF breach on _table_id parameter
https://notcve.org/view.php?id=CVE-2024-54139
13 Dec 2024 — Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a cross-site scripting vulnerability that can lead to cross-site request forgery on the `_table_id` parameter. Versions 2.7.11, 3.1.2, and 3.2.0 contain a patch for the issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-jmv2-wfh5-h5wg • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52000 – Reflected Cross-site Scripting exploit in Combodo iTop
https://notcve.org/view.php?id=CVE-2024-52000
08 Nov 2024 — Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •