81 matches found
CVE-2020-11696
CVE-2020-11696 is a stored XSS issue in Combodo iTop where a menu shortcut name could be exploited. The description specifies affected iTop packages and versions, with a fix in all iTop packages in version 2.7.0 and in iTop essential and iTop professional in version 2.6.4. Connected sources refer...
CVE-2019-13966
CVE-2019-13966 affects iTop up to version 2.6.0, enabling cross-site scripting via XSS payloads in fields within the XML used to build the dashboard (e.g., icon). The related documents confirm that the vulnerability is XSS in the dashboard XML input, but do not provide a vendor patch or definitiv...
CVE-2019-13967
The CVE applies to iTop versions 2.2.0 through 2.6.0 (community edition). An attacker can trigger a denial of service by sending many requests to launch a compile operation via the URI pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile. The issu...
CVE-2020-11697
Combodo iTop is affected by a reflected XSS in dashboard IDs. The issue is fixed in all iTop packages for version 2.7.0, and in iTop essential and professional packages for version 2.6.4. Affected products and versions outside those ranges are not specified in the provided documents. Exploitation...
CVE-2022-24780
CVE-2022-24780 affects Combodo iTop (web-based IT service management). In versions before 2.7.6 (and 3.0.0), the iTop portal accepts crafted HTTP queries that cause Twig template code to be executed on the server, enabling arbitrary code execution with the server user privileges. Root cause: temp...
CVE-2019-13965
CVE-2019-13965 affects iTop up to 2.6.0, with Reflective XSS via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. The root cause is lack of sanitization around error messages, enabling XSS to reach an administrator; this can, per ...
CVE-2019-11215
CVE-2019-11215 affects Combodo iTop versions 2.2.0–2.6.0. If the configuration file is writable, an attacker can achieve arbitrary code execution by sending a crafted payload to the ajax.dataloader API. The condition for writability can arise during installation, upgrade, a web-interface write er...
CVE-2021-41245
CVE-2021-41245 affects Combodo iTop prior to 2.7.6 and 3.0.0 where CSRF tokens generated by privUITransactionFile are not properly checked. RH and Red Hat entries corroborate the same issue and note that versions 2.7.6 and 3.0.0 include a patch. A workaround is to use a session-based implementati...
CVE-2022-24811
CVE-2022-24811 affects Combodo iTop, a web-based IT service management platform. The issue is a cross-site scripting vulnerability that occurs when displaying HTML attachments, enabling scripts outside of script tags to execute. The root cause is improper handling of HTML content in attachments, ...
CVE-2022-24870
CVE-2022-24870: Stored cross-site scripting in Combodo iTop due to malicious script injection in tooltips via the iTop customization mechanism in 3.0.0 beta releases prior to beta3. Affected: Combodo iTop (web-based ITSM). Impact: stored XSS to authorized users; upgrade is advised; no public work...
CVE-2024-51739
CVE-2024-51739 affects Combodo iTop. Unauthenticated access via REST endpoint (webservices/rest.php) enables user enumeration through do_reset_pwd, exposing whether a user exists and aiding brute-force attempts. Descriptions in multiple sources confirm the issue stems from password-reset feedback...
CVE-2021-41162
CVE-2021-41162 affects Combodo iTop, where in 3.0.0 beta releases prior to beta6 the ajax.render.php?operation=wizard_helper page did not properly escape user input, enabling a cross-site scripting (XSS) vulnerability. Red Hat confirms the issue and advises upgrading iTop to a version that contai...
CVE-2024-32870
CVE-2024-32870 affects Combodo iTop. An unauthenticated information-disclosure vulnerability allows reading server, OS, DBMS, PHP, and iTop configuration/name/parameters via the iTop URI. Patched in iTop versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0; upgrade to a fixed release or later. No exploitatio...
CVE-2025-27139
CVE-2025-27139 affects Combodo iTop (web-based IT service management). The vulnerability is a cross-site scripting issue on the preferences page. Affected versions are earlier than 2.7.12, 3.1.2, and 3.2.0. The issue is mitigated by upgrading to the fixed releases: 2.7.12, 3.1.2, or 3.2.0. No exp...
CVE-2022-31402
Multiple sources corroborate that ITOP (iTop) is affected by cross-site scripting (XSS) vulnerabilities in various components and versions. The original CVE-2022-31402 notes an XSS via /itop/webservices/export-v2.php in ITOP 3.0.1. Connected PTSecurity entries expand on additional XSS issues: (1)...
CVE-2015-6544
CVE-2015-6544 affects Combodo iTop
CVE-2023-34447
CVE-2023-34447 affects iTop, an open source web-based IT service management platform. Multiple sources confirm a cross-site scripting (XSS) vulnerability on the filepages/UI.php, present in versions prior to 3.0.4 and 3.1.0. The issue is described as fixed in versions 3.0.4 and 3.1.0, with remedi...
CVE-2011-4275
CVE-2011-4275 affects iTop (IT Operations Portal) 1.1.181 and 1.2.0-RC-282, with multiple stored and reflected XSS vectors. The root cause is insufficient input sanitisation across numerous fields and parameters (e.g., company name, database server name, CSV import, copy‑paste actions, auth_user ...
CVE-2020-12777
CVE-2020-12777 concerns Combodo iTop: a Broken Access Control vulnerability in a function that can allow an unauthorized attacker to inject commands and disclose system information. Related connected documents describe additional iTop issues (notably XSS and information disclosure) across multipl...
CVE-2022-31403
CVE-2022-31403 affects the IT service management platform iTop (notably v3.0.x, with the core issue reported as an XSS via /itop/pages/ajax.render.php). The Red Hat advisory confirms the existence of an XSS vulnerability in ITOP 3.0.1, with public-facing impact described as cross-site scripting. ...
CVE-2021-41161
CVE-2021-41161 affects Combodo iTop prior to 3.0.0-beta6. The export CSV page does not properly escape user-supplied parameters, allowing JavaScript injection into rendered CSV files. Upgrading to 3.0.0-beta6 or later is advised (as reflected by multiple connected sources incl. Red Hat). There ar...
CVE-2021-32776
Combodo iTop has a CSRF token reuse vulnerability in versions before 2.7.4 (and before 3.0.0 in some advisories) due to no cleanup of CSRF tokens on Windows servers. The issue enables CSRF token reuse by a malicious user. It is fixed in iTop 2.7.4 and 3.0.0. Red Hat CPE advisory confirms the CVE-...
CVE-2023-34444
Combodo iTop is affected by CVE-2023-34444 through an XSS vulnerability in pages/ajax.searchform.php. The issue permits cross-site scripting for scripts outside of script tags and affects versions prior to 2.7.9, 3.0.4, and 3.1.0. Root cause is improper input handling/output encoding in the ajax....
CVE-2021-32775
CVE-2021-32775 (Combodo iTop) : An information disclosure in iTop prior to versions 2.7.4 and 3.0.0 allowed a non-admin user to view many class/field values via a GroupBy Dashlet error message. The issue is fixed in 2.7.4 and 3.0.0. Affected product details and exact root cause are described in t...
CVE-2023-38511
The CVE-2023-38511 entry concerns iTop, an IT service management platform. Affected component: the dashboard editor, which can load multiple files/URLs and previously disclosed full paths in the dashboard config file. Connected sources describe concrete issues including path disclosure and a sepa...
CVE-2024-54139
Combodo iTop is affected by a cross-site scripting (XSS) vulnerability that can lead to cross-site request forgery (CSRF) via the _table_id parameter. Impact is described as high/critical in CVE sources. Affected versions: prior to 2.7.11, 3.1.2, and 3.2.0. Patches are available in versions 2.7.1...
CVE-2019-19821
CVE-2019-19821 affects the Combodo iTop web application. A post‑authentication privilege escalation allows regular authenticated users to access and modify information with administrative privileges due to improper handling of HTTP Location header in server responses. Mitigation per sources is to...
CVE-2024-31998
CVE-2024-31998 affects Combodo iTop (web-based ITSM). A CSRF on the CSV import simulation could allow unauthorized state-changing actions. Affected versions are prior to 3.1.2 and 3.2.0; fixed in 3.1.2 and 3.2.0. CVSSv3.1 base score 8.8 (HIGH) with user interaction required. No public workarounds...
CVE-2022-39214
CVE-2022-39214 (Combodo iTop) : Authenticated users can take over any account by knowing the target username. Affected: iTop prior to 2.7.8 and 3.0.2-1. Root cause: horizontal account takeover due to login handling. Impact: total account takeover with high confidentiality/integrity/availability i...
CVE-2023-48710
CVE-2023-48710 affects iTop where files in the env-production folder could be retrieved despite restricted access. The issue is mitigated by fixes in iTop versions 2.7.10, 3.0.4, 3.1.1, and 3.2.0, which include restricting file retrieval and limiting execution in pages/exec.php to PHP files. Conn...
CVE-2025-24022
CVE-2025-24022 affects the iTop web-based IT Service Management tool. The vulnerability allows server-side code execution via the portal frontend in affected versions prior to 2.7.12, 3.1.3, and 3.2.1. It is fixed in those same release lines (2.7.12, 3.1.3, 3.2.1). These details come from multipl...
CVE-2020-12781
CVE-2020-12781 affects Combodo iTop and describes a cross-site request forgery (CSRF) vulnerability. The CVE entry notes that attackers can trigger commands via a malicious site request forgery, with NVD metrics indicating notable impact (CVSS v3.1: High, with Network exposure, no privileges requ...
CVE-2024-51740
Combodo iTop is affected by CVE-2024-51740, a SSRF through arbitrary PHP class instantiation in the user portal. A low-privilege user can cause the server to make HTTP requests, exposing potential appetite for unintended requests from the server context. Fixed in iTop versions 2.7.11, 3.0.5, 3.1....
CVE-2025-24021
CVE-2025-24021 affects iTop (web-based IT Service Management). Prior to fixes, any account with portal access could set values on object fields that should not be modifiable. Affected versions: 2.7.11 or earlier? The initial docs list vulnerable versions as 2.7.12, 3.1.3, and 3.2.1 that contain f...
CVE-2024-31448
CVE-2024-31448 is a Cross-site Scripting (XSS) vulnerability in Combodo iTop triggered by malicious CSV content during import. Affected software is Combodo iTop (web-based IT Service Management). The issue is fixed in versions 3.1.2 and 3.2.0; users should upgrade to one of these versions or late...
CVE-2024-52002
Combodo iTop is affected by a Cross-Site Request Forgery (CSRF) across multiple endpoints. The CVE describes CSRF in several iTop pages, with an explicit fix in version 3.2.0; all users are advised to upgrade. The public sources indicate there are no known workarounds. Connected references corrob...
CVE-2020-12780
CVE-2020-12780 stems from a security misconfiguration in Combodo iTop exposing sensitive information. Connected advisories describe related, concrete iTop flaws affecting multiple versions and modules: XSS in dashlets/dashboard editor (pre-3.0.4/3.1.1), full path disclosure in dashboard config, a...
CVE-2023-47626
CVE-2023-47626 affects iTop (an IT service management platform). The vulnerability is an XSS risk that occurs when displaying/editing a user’s personal tokens; the root cause is improper handling of token-related input in the UI, enabling script execution. A fix is available in iTop v3.1.1 (and l...
CVE-2023-48709
CVE-2023-48709 – iTop formula/CSV export vulnerability : Combodo iTop exports data to CSV/Excel; inputs in exported files may contain malicious formulas. If opened in Excel, this could lead to remote code execution (noted for Excel 2016). Affected versions are iTop prior to the fixed releases. Re...
CVE-2023-34445
Combodo iTop contains a cross-site scripting (XSS) vulnerability in the pages/ajax.render.php endpoint. The issue affects rendering of pages and allows script execution outside of script tags. Remediation is to upgrade to fixed versions: 2.7.9, 3.0.4, or 3.1.0. There are no workarounds documented...
CVE-2023-47123
CVE-2023-47123 concerns iTop, an IT service management platform. The vulnerability arises when an attacker injects malicious code into an object’s friendlyname/complementary name, enabling an XSS attack when that object is rendered as an n:n relation item in another object. Affected behavior is l...
CVE-2020-12778
CVE-2020-12778 concerns Combodo iTop (IT service management). The initial description states input validation failures allow command injection and XSS. Connected documents elaborate multiple iTop-XSS/credential issues across versions and components: dashboard editor and dashlets can load files/UR...
CVE-2022-39216
CVE-2022-39216 affects Combodo iTop. Before versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter, which may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1. Vectors/exploitation details beyond this are not provided in the ac...
CVE-2023-45808
CVE-2023-45808 – iTop silo check bypass Affected software: Combodo iTop (IT service management platform). Issue: When creating or updating objects, extkey values aren’t checked against the current user silo, allowing forged HTTP requests to reference out-of-silo objects (e.g., a UserRequest in an...
CVE-2023-34443
CVE-2023-34443 describes a Cross-site Scripting (XSS) vulnerability in Combodo iTop, specifically on the Run queries page (run_query.php). Affected versions are prior to 2.7.9, prior to 3.0.4, and prior to 3.1.0. The issue is fixed in versions 2.7.9, 3.0.4, and 3.1.0; upgrading to these versions ...
CVE-2024-51993
CVE-2024-51993 affects Combodo iTop (pre-3.2.0) where passwords for misconfigured users are stored in cleartext and can be read if an attacker gains access to backups or the database. The issue is mitigated by upgrading to version 3.2.0 or later. If upgrading is not possible, encryption of backup...
CVE-2024-51995
Combodo iTop is affected by a logic bug in ajax.render.php that allows bypassing backOffice access control by crafting arbitrary routes, unless an allowed operation is specified. The issue is resolved in version 3.2.0 by applying the same access-control pattern used in UI.php to ajax.render.php, ...
CVE-2024-52000
CVE-2024-52000 affects Combodo iTop (prior to version 3.2.0): a reflected Cross-site Scripting (XSS) vulnerability triggered by editing a request payload, potentially enabling malicious JavaScript execution. The issue is mitigated in version 3.2.0 via systematic escaping of error messages when re...
CVE-2020-12779
CVE-2020-12779 concerns a stored XSS in Combodo iTop via uploading a file containing malicious script. The connected advisories corroborate repeated iTop XSS issues across multiple versions and components (e.g., UI and dashboard-related paths) with affected versions including pre-3.0.4, pre-3.1.1...
CVE-2018-10642
CVE-2018-10642 affects Combodo iTop 2.4.1. The vulnerability is a command injection : a remote authenticated administrator can cause arbitrary commands to run by altering the platform configuration, due to a function TestConfig() in web/env-production/itop-config/config.php that calls eval(). The...