CVE-2022-24811
Cross-site Scripting in Combodo iTop
Severity Score
5.4
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.
Combodi iTop es una herramienta de AdministraciĆ³n de Servicios de TI basada en la web. En versiones anteriores a 2.7.6 y 3.0.0, era posible un ataque de tipo cross-site scripting para scripts fuera de las etiquetas de script cuando son mostrados archivos adjuntos HTML. Este problema ha sido solucionado en versiones 2.7.6 y 3.0.0. Actualmente no son conocidas medidas de mitigaciĆ³n
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-02-10 CVE Reserved
- 2022-04-05 CVE Published
- 2023-10-27 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://huntr.dev/bounties/1625056478879-Combodo/iTop | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4 | 2022-04-19 |
| URL | Date | SRC |
|---|