CVE-2019-11215

In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload. Many conditions can place the configuration file into a writable state: during installation; during...

CVE-2021-41245

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by privUITransactionFile aren't properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop conf...

CVE-2021-41162

Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the ajax.render.php?operation=wizardhelper page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known...

CVE-2021-41161

Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue...

CVE-2025-48878

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

CVE-2025-64167

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack leading to JS execution when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead...

CVE-2025-48065

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content...

CVE-2025-48055

Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user portal, a cross-site scripting attack can occur. This is fixed in versions 3.2.2 and 3.3.0...

CVE-2025-47286

Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on i...

CVE-2025-64167

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack leading to JS execution when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead...

CVE-2025-49145

Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks mostly administrators can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature...

CVE-2025-48878

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

CVE-2025-48065

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content...

CVE-2025-48055

Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user portal, a cross-site scripting attack can occur. This is fixed in versions 3.2.2 and 3.3.0...

CVE-2025-64167 Combodo iTop vulnerable to reflected XSS in webservices/export.php

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack leading to JS execution when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead...

CVE-2025-64167

Combodo iTop, a web-based IT service management tool, is vulnerable to cross-site scripting (JS execution) in versions prior to 2.7.13 and 3.2.2 when editing a URL parameter. In these versions, the export.php endpoint was deprecated and export-v2.php is used instead; the issue stems from insuffic...

CVE-2025-64167 Combodo iTop vulnerable to reflected XSS in webservices/export.php

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack leading to JS execution when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead...

CVE-2025-48878 Combodo iTop vulnerable to IDOR with ModuleInstallation object

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

EUVD-2025-50777

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...

CVE-2025-48878 Combodo iTop vulnerable to IDOR with ModuleInstallation object

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user e.g. with Service desk agent profile to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue...