Lucene search

GitHub_MCVELIST:CVE-2022-39214

HistoryMar 14, 2023 - 3:10 p.m.

CVE-2022-39214 Authenticated users of Combodo iTop can take over any account

2023-03-1415:10:47

CWE-863

GitHub_M

www.cve.org

combodo itop

security issue

versions 2.7.8

3.0.2-1

authenticated users

account takeover

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

9.1 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.4%

JSON

Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account’s username. This issue is fixed in versions 2.7.8 and 3.0.2-1.

CNA Affected

[
  {
    "vendor": "Combodo",
    "product": "iTop",
    "versions": [
      {
        "version": "< 2.7.8",
        "status": "affected"
      },
      {
        "version": ">= 3.0.0, < 3.0.2-1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd

github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa

github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

9.1 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.4%

JSON

Related for CVELIST:CVE-2022-39214