Lucene search
K

81 matches found

CVE
CVE
added 2020/06/05 9:12 p.m.130 views

CVE-2020-11696

CVE-2020-11696 is a stored XSS issue in Combodo iTop where a menu shortcut name could be exploited. The description specifies affected iTop packages and versions, with a fix in all iTop packages in version 2.7.0 and in iTop essential and iTop professional in version 2.6.4. Connected sources refer...

6.1CVSS5.8AI score0.00685EPSS
CVE
CVE
added 2020/02/14 9:2 p.m.128 views

CVE-2019-13966

CVE-2019-13966 affects iTop up to version 2.6.0, enabling cross-site scripting via XSS payloads in fields within the XML used to build the dashboard (e.g., icon). The related documents confirm that the vulnerability is XSS in the dashboard XML input, but do not provide a vendor patch or definitiv...

6.1CVSS5.8AI score0.00793EPSS
CVE
CVE
added 2020/02/14 9:3 p.m.127 views

CVE-2019-13967

The CVE applies to iTop versions 2.2.0 through 2.6.0 (community edition). An attacker can trigger a denial of service by sending many requests to launch a compile operation via the URI pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile. The issu...

7.5CVSS7.4AI score0.01282EPSS
Web
CVE
CVE
added 2020/06/05 9:1 p.m.127 views

CVE-2020-11697

Combodo iTop is affected by a reflected XSS in dashboard IDs. The issue is fixed in all iTop packages for version 2.7.0, and in iTop essential and professional packages for version 2.6.4. Affected products and versions outside those ranges are not specified in the provided documents. Exploitation...

6.1CVSS5.9AI score0.00685EPSS
CVE
CVE
added 2022/04/05 6:30 p.m.121 views

CVE-2022-24780

CVE-2022-24780 affects Combodo iTop (web-based IT service management). In versions before 2.7.6 (and 3.0.0), the iTop portal accepts crafted HTTP queries that cause Twig template code to be executed on the server, enabling arbitrary code execution with the server user privileges. Root cause: temp...

8.8CVSS8.7AI score0.05341EPSS
CVE
CVE
added 2020/02/14 9:1 p.m.118 views

CVE-2019-13965

CVE-2019-13965 affects iTop up to 2.6.0, with Reflective XSS via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. The root cause is lack of sanitization around error messages, enabling XSS to reach an administrator; this can, per ...

6.1CVSS6.3AI score0.01558EPSS
Web
CVE
CVE
added 2020/02/14 5:31 p.m.117 views

CVE-2019-11215

CVE-2019-11215 affects Combodo iTop versions 2.2.0–2.6.0. If the configuration file is writable, an attacker can achieve arbitrary code execution by sending a crafted payload to the ajax.dataloader API. The condition for writability can arise during installation, upgrade, a web-interface write er...

8.1CVSS8.1AI score0.01167EPSS
CVE
CVE
added 2022/04/05 3:5 p.m.95 views

CVE-2021-41245

CVE-2021-41245 affects Combodo iTop prior to 2.7.6 and 3.0.0 where CSRF tokens generated by privUITransactionFile are not properly checked. RH and Red Hat entries corroborate the same issue and note that versions 2.7.6 and 3.0.0 include a patch. A workaround is to use a session-based implementati...

8.1CVSS7.2AI score0.00694EPSS
CVE
CVE
added 2022/04/05 6:35 p.m.93 views

CVE-2022-24811

CVE-2022-24811 affects Combodo iTop, a web-based IT service management platform. The issue is a cross-site scripting vulnerability that occurs when displaying HTML attachments, enabling scripts outside of script tags to execute. The root cause is improper handling of HTML content in attachments, ...

5.4CVSS5.1AI score0.00737EPSS
CVE
CVE
added 2022/04/21 4:40 p.m.91 views

CVE-2022-24870

CVE-2022-24870: Stored cross-site scripting in Combodo iTop due to malicious script injection in tooltips via the iTop customization mechanism in 3.0.0 beta releases prior to beta3. Affected: Combodo iTop (web-based ITSM). Impact: stored XSS to authorized users; upgrade is advised; no public work...

8.7CVSS5.7AI score0.00893EPSS
CVE
CVE
added 2024/11/05 6:11 p.m.88 views

CVE-2024-51739

CVE-2024-51739 affects Combodo iTop. Unauthenticated access via REST endpoint (webservices/rest.php) enables user enumeration through do_reset_pwd, exposing whether a user exists and aiding brute-force attempts. Descriptions in multiple sources confirm the issue stems from password-reset feedback...

7.5CVSS6.3AI score0.01259EPSS
CVE
CVE
added 2022/04/21 4:45 p.m.79 views

CVE-2021-41162

CVE-2021-41162 affects Combodo iTop, where in 3.0.0 beta releases prior to beta6 the ajax.render.php?operation=wizard_helper page did not properly escape user input, enabling a cross-site scripting (XSS) vulnerability. Red Hat confirms the issue and advises upgrading iTop to a version that contai...

9.3CVSS6.5AI score0.00612EPSS
CVE
CVE
added 2024/11/04 11:36 p.m.79 views

CVE-2024-32870

CVE-2024-32870 affects Combodo iTop. An unauthenticated information-disclosure vulnerability allows reading server, OS, DBMS, PHP, and iTop configuration/name/parameters via the iTop URI. Patched in iTop versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0; upgrade to a fixed release or later. No exploitatio...

5.8CVSS5.5AI score0.00731EPSS
CVE
CVE
added 2025/02/25 7:52 p.m.76 views

CVE-2025-27139

CVE-2025-27139 affects Combodo iTop (web-based IT service management). The vulnerability is a cross-site scripting issue on the preferences page. Affected versions are earlier than 2.7.12, 3.1.2, and 3.2.0. The issue is mitigated by upgrading to the fixed releases: 2.7.12, 3.1.2, or 3.2.0. No exp...

6.8CVSS6.3AI score0.00222EPSS
CVE
CVE
added 2022/06/10 4:47 p.m.74 views

CVE-2022-31402

Multiple sources corroborate that ITOP (iTop) is affected by cross-site scripting (XSS) vulnerabilities in various components and versions. The original CVE-2022-31402 notes an XSS via /itop/webservices/export-v2.php in ITOP 3.0.1. Connected PTSecurity entries expand on additional XSS issues: (1)...

6.1CVSS6AI score0.0219EPSS
CVE
CVE
added 2018/02/20 8:0 p.m.71 views

CVE-2015-6544

CVE-2015-6544 affects Combodo iTop

6.1CVSS5.8AI score0.05477EPSS
Web
CVE
CVE
added 2023/10/25 3:35 p.m.71 views

CVE-2023-34447

CVE-2023-34447 affects iTop, an open source web-based IT service management platform. Multiple sources confirm a cross-site scripting (XSS) vulnerability on the filepages/UI.php, present in versions prior to 3.0.4 and 3.1.0. The issue is described as fixed in versions 3.0.4 and 3.1.0, with remedi...

8.8CVSS6.9AI score0.00676EPSS
CVE
CVE
added 2011/11/26 2:0 a.m.69 views

CVE-2011-4275

CVE-2011-4275 affects iTop (IT Operations Portal) 1.1.181 and 1.2.0-RC-282, with multiple stored and reflected XSS vectors. The root cause is insufficient input sanitisation across numerous fields and parameters (e.g., company name, database server name, CSV import, copy‑paste actions, auth_user ...

4.3CVSS5.7AI score0.01624EPSS
Web
CVE
CVE
added 2020/08/10 2:45 a.m.67 views

CVE-2020-12777

CVE-2020-12777 concerns Combodo iTop: a Broken Access Control vulnerability in a function that can allow an unauthorized attacker to inject commands and disclose system information. Related connected documents describe additional iTop issues (notably XSS and information disclosure) across multipl...

7.5CVSS7.5AI score0.0126EPSS
CVE
CVE
added 2022/06/14 4:17 p.m.67 views

CVE-2022-31403

CVE-2022-31403 affects the IT service management platform iTop (notably v3.0.x, with the core issue reported as an XSS via /itop/pages/ajax.render.php). The Red Hat advisory confirms the existence of an XSS vulnerability in ITOP 3.0.1, with public-facing impact described as cross-site scripting. ...

6.1CVSS6AI score0.01711EPSS
CVE
CVE
added 2022/04/21 4:35 p.m.66 views

CVE-2021-41161

CVE-2021-41161 affects Combodo iTop prior to 3.0.0-beta6. The export CSV page does not properly escape user-supplied parameters, allowing JavaScript injection into rendered CSV files. Upgrading to 3.0.0-beta6 or later is advised (as reflected by multiple connected sources incl. Red Hat). There ar...

9.3CVSS6.8AI score0.00612EPSS
CVE
CVE
added 2021/07/21 8:25 p.m.64 views

CVE-2021-32776

Combodo iTop has a CSRF token reuse vulnerability in versions before 2.7.4 (and before 3.0.0 in some advisories) due to no cleanup of CSRF tokens on Windows servers. The issue enables CSRF token reuse by a malicious user. It is fixed in iTop 2.7.4 and 3.0.0. Red Hat CPE advisory confirms the CVE-...

8.8CVSS7.4AI score0.00377EPSS
CVE
CVE
added 2024/11/04 11:30 p.m.64 views

CVE-2023-34444

Combodo iTop is affected by CVE-2023-34444 through an XSS vulnerability in pages/ajax.searchform.php. The issue permits cross-site scripting for scripts outside of script tags and affects versions prior to 2.7.9, 3.0.4, and 3.1.0. Root cause is improper input handling/output encoding in the ajax....

8.8CVSS7.2AI score0.00286EPSS
CVE
CVE
added 2021/07/21 8:20 p.m.63 views

CVE-2021-32775

CVE-2021-32775 (Combodo iTop) : An information disclosure in iTop prior to versions 2.7.4 and 3.0.0 allowed a non-admin user to view many class/field values via a GroupBy Dashlet error message. The issue is fixed in 2.7.4 and 3.0.0. Affected product details and exact root cause are described in t...

7.7CVSS6.3AI score0.00779EPSS
CVE
CVE
added 2024/04/15 5:6 p.m.63 views

CVE-2023-38511

The CVE-2023-38511 entry concerns iTop, an IT service management platform. Affected component: the dashboard editor, which can load multiple files/URLs and previously disclosed full paths in the dashboard config file. Connected sources describe concrete issues including path disclosure and a sepa...

5CVSS6.6AI score0.00684EPSS
CVE
CVE
added 2024/12/13 3:59 p.m.63 views

CVE-2024-54139

Combodo iTop is affected by a cross-site scripting (XSS) vulnerability that can lead to cross-site request forgery (CSRF) via the _table_id parameter. Impact is described as high/critical in CVE sources. Affected versions: prior to 2.7.11, 3.1.2, and 3.2.0. Patches are available in versions 2.7.1...

9.6CVSS7.5AI score0.00206EPSS
CVE
CVE
added 2020/03/16 5:15 p.m.62 views

CVE-2019-19821

CVE-2019-19821 affects the Combodo iTop web application. A post‑authentication privilege escalation allows regular authenticated users to access and modify information with administrative privileges due to improper handling of HTTP Location header in server responses. Mitigation per sources is to...

8.1CVSS7.9AI score0.01432EPSS
CVE
CVE
added 2024/11/04 11:35 p.m.62 views

CVE-2024-31998

CVE-2024-31998 affects Combodo iTop (web-based ITSM). A CSRF on the CSV import simulation could allow unauthorized state-changing actions. Affected versions are prior to 3.1.2 and 3.2.0; fixed in 3.1.2 and 3.2.0. CVSSv3.1 base score 8.8 (HIGH) with user interaction required. No public workarounds...

8.8CVSS8.7AI score0.00226EPSS
CVE
CVE
added 2023/03/14 3:10 p.m.61 views

CVE-2022-39214

CVE-2022-39214 (Combodo iTop) : Authenticated users can take over any account by knowing the target username. Affected: iTop prior to 2.7.8 and 3.0.2-1. Root cause: horizontal account takeover due to login handling. Impact: total account takeover with high confidentiality/integrity/availability i...

9.6CVSS7.6AI score0.25573EPSS
CVE
CVE
added 2024/04/15 5:47 p.m.61 views

CVE-2023-48710

CVE-2023-48710 affects iTop where files in the env-production folder could be retrieved despite restricted access. The issue is mitigated by fixes in iTop versions 2.7.10, 3.0.4, 3.1.1, and 3.2.0, which include restricting file retrieval and limiting execution in pages/exec.php to PHP files. Conn...

9.8CVSS9.2AI score0.00719EPSS
CVE
CVE
added 2025/05/14 2:57 p.m.59 views

CVE-2025-24022

CVE-2025-24022 affects the iTop web-based IT Service Management tool. The vulnerability allows server-side code execution via the portal frontend in affected versions prior to 2.7.12, 3.1.3, and 3.2.1. It is fixed in those same release lines (2.7.12, 3.1.3, 3.2.1). These details come from multipl...

8.5CVSS7.6AI score0.00499EPSS
CVE
CVE
added 2020/08/10 2:45 a.m.58 views

CVE-2020-12781

CVE-2020-12781 affects Combodo iTop and describes a cross-site request forgery (CSRF) vulnerability. The CVE entry notes that attackers can trigger commands via a malicious site request forgery, with NVD metrics indicating notable impact (CVSS v3.1: High, with Network exposure, no privileges requ...

8.8CVSS7.3AI score0.00478EPSS
CVE
CVE
added 2024/11/05 6:13 p.m.58 views

CVE-2024-51740

Combodo iTop is affected by CVE-2024-51740, a SSRF through arbitrary PHP class instantiation in the user portal. A low-privilege user can cause the server to make HTTP requests, exposing potential appetite for unintended requests from the server context. Fixed in iTop versions 2.7.11, 3.0.5, 3.1....

8.8CVSS4.9AI score0.00528EPSS
CVE
CVE
added 2025/05/14 2:48 p.m.58 views

CVE-2025-24021

CVE-2025-24021 affects iTop (web-based IT Service Management). Prior to fixes, any account with portal access could set values on object fields that should not be modifiable. Affected versions: 2.7.11 or earlier? The initial docs list vulnerable versions as 2.7.12, 3.1.3, and 3.2.1 that contain f...

5CVSS5.2AI score0.00224EPSS
CVE
CVE
added 2024/11/04 11:34 p.m.57 views

CVE-2024-31448

CVE-2024-31448 is a Cross-site Scripting (XSS) vulnerability in Combodo iTop triggered by malicious CSV content during import. Affected software is Combodo iTop (web-based IT Service Management). The issue is fixed in versions 3.1.2 and 3.2.0; users should upgrade to one of these versions or late...

8.8CVSS7AI score0.00329EPSS
CVE
CVE
added 2024/11/08 10:16 p.m.57 views

CVE-2024-52002

Combodo iTop is affected by a Cross-Site Request Forgery (CSRF) across multiple endpoints. The CVE describes CSRF in several iTop pages, with an explicit fix in version 3.2.0; all users are advised to upgrade. The public sources indicate there are no known workarounds. Connected references corrob...

8.8CVSS7.7AI score0.00638EPSS
CVE
CVE
added 2020/08/10 2:45 a.m.56 views

CVE-2020-12780

CVE-2020-12780 stems from a security misconfiguration in Combodo iTop exposing sensitive information. Connected advisories describe related, concrete iTop flaws affecting multiple versions and modules: XSS in dashlets/dashboard editor (pre-3.0.4/3.1.1), full path disclosure in dashboard config, a...

7.5CVSS7.5AI score0.01194EPSS
CVE
CVE
added 2024/04/15 5:36 p.m.56 views

CVE-2023-47626

CVE-2023-47626 affects iTop (an IT service management platform). The vulnerability is an XSS risk that occurs when displaying/editing a user’s personal tokens; the root cause is improper handling of token-related input in the UI, enabling script execution. A fix is available in iTop v3.1.1 (and l...

8.8CVSS5.9AI score0.00379EPSS
CVE
CVE
added 2024/04/15 5:43 p.m.56 views

CVE-2023-48709

CVE-2023-48709 – iTop formula/CSV export vulnerability : Combodo iTop exports data to CSV/Excel; inputs in exported files may contain malicious formulas. If opened in Excel, this could lead to remote code execution (noted for Excel 2016). Affected versions are iTop prior to the fixed releases. Re...

8CVSS8AI score0.00958EPSS
CVE
CVE
added 2024/11/04 11:31 p.m.55 views

CVE-2023-34445

Combodo iTop contains a cross-site scripting (XSS) vulnerability in the pages/ajax.render.php endpoint. The issue affects rendering of pages and allows script execution outside of script tags. Remediation is to upgrade to fixed versions: 2.7.9, 3.0.4, or 3.1.0. There are no workarounds documented...

8.8CVSS7.2AI score0.00286EPSS
CVE
CVE
added 2024/04/15 5:31 p.m.55 views

CVE-2023-47123

CVE-2023-47123 concerns iTop, an IT service management platform. The vulnerability arises when an attacker injects malicious code into an object’s friendlyname/complementary name, enabling an XSS attack when that object is rendered as an n:n relation item in another object. Affected behavior is l...

8.7CVSS6.1AI score0.00339EPSS
CVE
CVE
added 2020/08/10 2:45 a.m.54 views

CVE-2020-12778

CVE-2020-12778 concerns Combodo iTop (IT service management). The initial description states input validation failures allow command injection and XSS. Connected documents elaborate multiple iTop-XSS/credential issues across versions and components: dashboard editor and dashlets can load files/UR...

7.4CVSS6.4AI score0.00793EPSS
CVE
CVE
added 2023/03/14 3:10 p.m.54 views

CVE-2022-39216

CVE-2022-39216 affects Combodo iTop. Before versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter, which may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1. Vectors/exploitation details beyond this are not provided in the ac...

9.8CVSS8.4AI score0.00912EPSS
CVE
CVE
added 2024/04/15 5:28 p.m.54 views

CVE-2023-45808

CVE-2023-45808 – iTop silo check bypass Affected software: Combodo iTop (IT service management platform). Issue: When creating or updating objects, extkey values aren’t checked against the current user silo, allowing forged HTTP requests to reference out-of-silo objects (e.g., a UserRequest in an...

5.4CVSS6.8AI score0.00336EPSS
CVE
CVE
added 2024/11/04 11:29 p.m.53 views

CVE-2023-34443

CVE-2023-34443 describes a Cross-site Scripting (XSS) vulnerability in Combodo iTop, specifically on the Run queries page (run_query.php). Affected versions are prior to 2.7.9, prior to 3.0.4, and prior to 3.1.0. The issue is fixed in versions 2.7.9, 3.0.4, and 3.1.0; upgrading to these versions ...

8.8CVSS7AI score0.00287EPSS
CVE
CVE
added 2024/11/07 5:59 p.m.53 views

CVE-2024-51993

CVE-2024-51993 affects Combodo iTop (pre-3.2.0) where passwords for misconfigured users are stored in cleartext and can be read if an attacker gains access to backups or the database. The issue is mitigated by upgrading to version 3.2.0 or later. If upgrading is not possible, encryption of backup...

3.4CVSS3.9AI score0.0011EPSS
CVE
CVE
added 2024/11/07 5:55 p.m.53 views

CVE-2024-51995

Combodo iTop is affected by a logic bug in ajax.render.php that allows bypassing backOffice access control by crafting arbitrary routes, unless an allowed operation is specified. The issue is resolved in version 3.2.0 by applying the same access-control pattern used in UI.php to ajax.render.php, ...

7.1CVSS7AI score0.0042EPSS
CVE
CVE
added 2024/11/08 10:20 p.m.53 views

CVE-2024-52000

CVE-2024-52000 affects Combodo iTop (prior to version 3.2.0): a reflected Cross-site Scripting (XSS) vulnerability triggered by editing a request payload, potentially enabling malicious JavaScript execution. The issue is mitigated in version 3.2.0 via systematic escaping of error messages when re...

8.1CVSS7.8AI score0.00355EPSS
CVE
CVE
added 2020/08/10 2:45 a.m.52 views

CVE-2020-12779

CVE-2020-12779 concerns a stored XSS in Combodo iTop via uploading a file containing malicious script. The connected advisories corroborate repeated iTop XSS issues across multiple versions and components (e.g., UI and dashboard-related paths) with affected versions including pre-3.0.4, pre-3.1.1...

6.8CVSS5.5AI score0.0063EPSS
CVE
CVE
added 2018/05/02 7:0 a.m.51 views

CVE-2018-10642

CVE-2018-10642 affects Combodo iTop 2.4.1. The vulnerability is a command injection : a remote authenticated administrator can cause arbitrary commands to run by altering the platform configuration, due to a function TestConfig() in web/env-production/itop-config/config.php that calls eval(). The...

7.2CVSS6.7AI score0.07495EPSS
Total number of security vulnerabilities81