CVE-2025-24021 iTop doesn't have mass assignment of fields in the portal form

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue...

Design/Logic Flaw

In iTop through 2.6.0, an XSS payload can be delivered in certain fields such as icon of the XML file used to build the dashboard. This is similar to CVE-2015-6544 which is only about the dashboard title...