Lucene search

GitHub_MCVELIST:CVE-2021-41161

HistoryApr 21, 2022 - 4:35 p.m.

CVE-2021-41161 XSS in csvimport in 3.0.0-beta versions

2022-04-2116:35:10

CWE-79

GitHub_M

www.cve.org

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

9.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.4%

JSON

Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don’t properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.

CNA Affected

[
  {
    "product": "iTop",
    "vendor": "Combodo",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.0.0-beta6"
      }
    ]
  }
]

References

github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22

github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

9.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.4%

JSON

Related for CVELIST:CVE-2021-41161