9 results (0.006 seconds)

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

14 May 2025 — iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-52p7-7f8f-j7pc • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

14 May 2025 — iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The next user trying to load this dashboard would encounter a crashed start page. Version 3.2.1 fixes the issue by checking the provided layout_class before saving the dashboard. • https://github.com/Combodo/iTop/security/advisories/GHSA-49rq-cgv9-7hv4 • CWE-20: Improper Input Validation •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

14 May 2025 — iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS) that may, under some circumstances, affect iTop server. Version 3.2.1 doesn't use the affected variable in the regular expression. As a workaround, if iTop app_root_url is defined in the configuration file, then there is no possible way to exploit this ReDoS. • https://github.com/Combodo/iTop/security/advisories/GHSA-9g7f-jmc3-rrmf • CWE-1333: Inefficient Regular Expression Complexity •

CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0

14 May 2025 — iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1. • https://github.com/Combodo/iTop/security/advisories/GHSA-rhv2-wfrr-4j2j • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0

14 May 2025 — iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj • CWE-862: Missing Authorization •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

14 May 2025 — iTop is an web based IT Service Management tool. Prior to versions 3.1.3 and 3.2.1, by filling malicious code in a CSV content, a cross-site scripting attack can be performed when importing this content. The issue is fixed in versions 3.1.3 and 3.2.1. As a workaround, check CSV content before importing it. • https://github.com/Combodo/iTop/security/advisories/GHSA-6p48-74j9-977j • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0

14 May 2025 — iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they're not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-cph2-466c-3f87 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0

25 Feb 2025 — Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 are vulnerable to cross-site scripting when the preferences page is opened. Versions 2.7.12, 3.1.2, and 3.2.0 fix the issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-c6mg-9537-c8cf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.9EPSS: 0%CPEs: 3EXPL: 0

13 Dec 2024 — Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a cross-site scripting vulnerability that can lead to cross-site request forgery on the `_table_id` parameter. Versions 2.7.11, 3.1.2, and 3.2.0 contain a patch for the issue. • https://github.com/Combodo/iTop/security/advisories/GHSA-jmv2-wfh5-h5wg • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •