Lucene search

GitHub_MCVELIST:CVE-2020-4079

HistoryJan 12, 2021 - 7:20 p.m.

CVE-2020-4079 Information disclosure vulnerability in iTop

2021-01-1219:20:14

CWE-200

GitHub_M

www.cve.org

cve-2020-4079

itop

information disclosure

vulnerability

comodo

it service management

excel export

ajax endpoint

data access

scope filtering .

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the “excel export” portal functionality is called directly it allows getting data without scope filtering. This allows a user to access data they which they should not have access to. This is fixed in versions 2.7.2 and 3.0.0.

CNA Affected

[
  {
    "product": "iTop",
    "vendor": "Combodo",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.7.2"
      }
    ]
  }
]

References

github.com/Combodo/iTop/security/advisories/GHSA-vcv9-xp3j-7jwh

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

Related for CVELIST:CVE-2020-4079