CVE-2025-47932 Combodo iTop vulnerable to reflected XSS in ajax.render.php render_dashboard

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack...

CVE-2025-47932 Combodo iTop vulnerable to reflected XSS in ajax.render.php render_dashboard

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack...

CVE-2024-51995 Logic bug in ajax.render.php allows for bypass of 'backOffice' access control in Combodo iTop

Combodo iTop is a web based IT Service Management tool. An attacker can request any route we want as long as we specify an operation that is allowed. This issue has been addressed in version 3.2.0 by applying the same access control pattern as in UI.php to the ajax.render.php page which does not...

The vulnerability of the export-v2.php and ajax.render.php components of the iTop IT service management web tool allows a perpetrator to execute arbitrary code.

The vulnerability of the export-v2.php and ajax.render.php components of the iTop IT service management web tool is related to the copying of buffers without checking the size of the input data. Exploiting this vulnerability could allow an attacker to execute arbitrary code...

CVE-2023-47489

CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute arbitrary code via a crafted script to the export-v2.php and ajax.render.php components...

Combodo iTop Security Vulnerability

Combodo iTop is a French company Combodo ITIL-based development and for the daily operation of the IT environment of open source Web applications. The program provides incident management, configuration management and problem management. A security vulnerability exists in Combodo iTop version...

PT-2023-7017 · Comodo · Itop

Name of the Vulnerable Software and Affected Versions: Combodo iTop version 3.1.0-2-11973 Description: The issue is related to a CSV injection in the export as CSV feature, allowing a local attacker to execute arbitrary code via a crafted script to the export-v2.php and ajax.render.php components...

CVE-2022-31403

ITOP v3.0.1 was discovered to contain a cross-site scripting XSS vulnerability via /itop/pages/ajax.render.php...

PT-2022-20733 · Itop +1 · Itop +1

Name of the Vulnerable Software and Affected Versions: ITOP version 3.0.1 Description: A cross-site scripting XSS issue was found in ITOP. The vulnerability can be exploited via the "/itop/pages/ajax.render.php" API endpoint. Recommendations: For ITOP version 3.0.1, as a temporary workaround,...

Design/Logic Flaw

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widgettabbedcontainertabpanel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is...

vBulletin CVE-2019-16759 Bypass Remote Code Execution (CVE-2020-17496) (direct check)

The version of vBulletin running on the remote host is affected by an input-validation flaw in the ajax/render/widgetphp API that allows for remote code execution. This plugin tests for a bypass to the fix for CVE-2019-16759. %NASLMINLEVEL 70300 C Tenable Network Security, Inc...

VulnCheck KEV: CVE-2019-16759

The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via the widgetConfigcode parameter in an ajax/render/widgetphp routestring request...

vBulletin remote command execution via the widgetConfig[code] parameter

Added: 09/27/2019 Background vBulletin is a commercial web bulletin board application written in PHP using MySQL. Problem vBulletin allows remote command execution via the widgetConfigcode parameter in an ajax/render/widgetphp routestring request. Resolution Upgrade vBulletin to version higher th...

vBulletin 5.x Pre-Auth Remote Code Execution

!/usr/bin/python vBulletin 5.x 0day pre-auth RCE exploit This should work on all versions from 5.0.0 till 5.5.4 Google Dorks: - site:.vbulletin.net - "Powered by vBulletin Version 5.5.4" import requests import sys if lensys.argv != 2: sys.exit"Usage: %s " % sys.argv0 params =...

PT-2019-6135

Name of the Vulnerable Software and Affected Versions vBulletin versions 5.0.0 through 5.5.4 Description The issue is related to errors in code generation management, allowing a remote attacker to execute arbitrary commands using a specially crafted widgetConfigcode parameter in an...

ITOP Reflective Cross-Site Scripting Vulnerability

ITOP is an open source web application . ITOP suffers from a reflected cross-site scripting vulnerability. Due to insufficient filtering of input passed to the "/pages/ajax.render.php" script via the "title" HTTP GET parameter, a remote, unauthenticated attacker could trick a logged-in user into...