61 matches found
CVE-2020-11696
CVE-2020-11696 is a stored XSS issue in Combodo iTop where a menu shortcut name could be exploited. The description specifies affected iTop packages and versions, with a fix in all iTop packages in version 2.7.0 and in iTop essential and iTop professional in version 2.6.4. Connected sources refer...
CVE-2020-11697
Combodo iTop is affected by a reflected XSS in dashboard IDs. The issue is fixed in all iTop packages for version 2.7.0, and in iTop essential and professional packages for version 2.6.4. Affected products and versions outside those ranges are not specified in the provided documents. Exploitation...
CVE-2022-24780
CVE-2022-24780 affects Combodo iTop (web-based IT service management). In versions before 2.7.6 (and 3.0.0), the iTop portal accepts crafted HTTP queries that cause Twig template code to be executed on the server, enabling arbitrary code execution with the server user privileges. Root cause: temp...
CVE-2021-41245
CVE-2021-41245 affects Combodo iTop prior to 2.7.6 and 3.0.0 where CSRF tokens generated by privUITransactionFile are not properly checked. RH and Red Hat entries corroborate the same issue and note that versions 2.7.6 and 3.0.0 include a patch. A workaround is to use a session-based implementati...
CVE-2022-24811
CVE-2022-24811 affects Combodo iTop, a web-based IT service management platform. The issue is a cross-site scripting vulnerability that occurs when displaying HTML attachments, enabling scripts outside of script tags to execute. The root cause is improper handling of HTML content in attachments, ...
CVE-2024-51739
CVE-2024-51739 affects Combodo iTop. Unauthenticated access via REST endpoint (webservices/rest.php) enables user enumeration through do_reset_pwd, exposing whether a user exists and aiding brute-force attempts. Descriptions in multiple sources confirm the issue stems from password-reset feedback...
CVE-2024-32870
CVE-2024-32870 affects Combodo iTop. An unauthenticated information-disclosure vulnerability allows reading server, OS, DBMS, PHP, and iTop configuration/name/parameters via the iTop URI. Patched in iTop versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0; upgrade to a fixed release or later. No exploitatio...
CVE-2025-27139
CVE-2025-27139 affects Combodo iTop (web-based IT service management). The vulnerability is a cross-site scripting issue on the preferences page. Affected versions are earlier than 2.7.12, 3.1.2, and 3.2.0. The issue is mitigated by upgrading to the fixed releases: 2.7.12, 3.1.2, or 3.2.0. No exp...
CVE-2015-6544
CVE-2015-6544 affects Combodo iTop
CVE-2023-34447
CVE-2023-34447 affects iTop, an open source web-based IT service management platform. Multiple sources confirm a cross-site scripting (XSS) vulnerability on the filepages/UI.php, present in versions prior to 3.0.4 and 3.1.0. The issue is described as fixed in versions 3.0.4 and 3.1.0, with remedi...
CVE-2020-12777
CVE-2020-12777 concerns Combodo iTop: a Broken Access Control vulnerability in a function that can allow an unauthorized attacker to inject commands and disclose system information. Related connected documents describe additional iTop issues (notably XSS and information disclosure) across multipl...
CVE-2021-41161
CVE-2021-41161 affects Combodo iTop prior to 3.0.0-beta6. The export CSV page does not properly escape user-supplied parameters, allowing JavaScript injection into rendered CSV files. Upgrading to 3.0.0-beta6 or later is advised (as reflected by multiple connected sources incl. Red Hat). There ar...
CVE-2024-54139
Combodo iTop is affected by a cross-site scripting (XSS) vulnerability that can lead to cross-site request forgery (CSRF) via the _table_id parameter. Impact is described as high/critical in CVE sources. Affected versions: prior to 2.7.11, 3.1.2, and 3.2.0. Patches are available in versions 2.7.1...
CVE-2024-31998
CVE-2024-31998 affects Combodo iTop (web-based ITSM). A CSRF on the CSV import simulation could allow unauthorized state-changing actions. Affected versions are prior to 3.1.2 and 3.2.0; fixed in 3.1.2 and 3.2.0. CVSSv3.1 base score 8.8 (HIGH) with user interaction required. No public workarounds...
CVE-2021-32775
CVE-2021-32775 (Combodo iTop) : An information disclosure in iTop prior to versions 2.7.4 and 3.0.0 allowed a non-admin user to view many class/field values via a GroupBy Dashlet error message. The issue is fixed in 2.7.4 and 3.0.0. Affected product details and exact root cause are described in t...
CVE-2021-32776
Combodo iTop has a CSRF token reuse vulnerability in versions before 2.7.4 (and before 3.0.0 in some advisories) due to no cleanup of CSRF tokens on Windows servers. The issue enables CSRF token reuse by a malicious user. It is fixed in iTop 2.7.4 and 3.0.0. Red Hat CPE advisory confirms the CVE-...
CVE-2023-34444
Combodo iTop is affected by CVE-2023-34444 through an XSS vulnerability in pages/ajax.searchform.php. The issue permits cross-site scripting for scripts outside of script tags and affects versions prior to 2.7.9, 3.0.4, and 3.1.0. Root cause is improper input handling/output encoding in the ajax....
CVE-2019-19821
CVE-2019-19821 affects the Combodo iTop web application. A post‑authentication privilege escalation allows regular authenticated users to access and modify information with administrative privileges due to improper handling of HTTP Location header in server responses. Mitigation per sources is to...
CVE-2022-39214
CVE-2022-39214 (Combodo iTop) : Authenticated users can take over any account by knowing the target username. Affected: iTop prior to 2.7.8 and 3.0.2-1. Root cause: horizontal account takeover due to login handling. Impact: total account takeover with high confidentiality/integrity/availability i...
CVE-2023-48710
CVE-2023-48710 affects iTop where files in the env-production folder could be retrieved despite restricted access. The issue is mitigated by fixes in iTop versions 2.7.10, 3.0.4, 3.1.1, and 3.2.0, which include restricting file retrieval and limiting execution in pages/exec.php to PHP files. Conn...
CVE-2024-51740
Combodo iTop is affected by CVE-2024-51740, a SSRF through arbitrary PHP class instantiation in the user portal. A low-privilege user can cause the server to make HTTP requests, exposing potential appetite for unintended requests from the server context. Fixed in iTop versions 2.7.11, 3.0.5, 3.1....
CVE-2025-24022
CVE-2025-24022 affects the iTop web-based IT Service Management tool. The vulnerability allows server-side code execution via the portal frontend in affected versions prior to 2.7.12, 3.1.3, and 3.2.1. It is fixed in those same release lines (2.7.12, 3.1.3, 3.2.1). These details come from multipl...
CVE-2020-12781
CVE-2020-12781 affects Combodo iTop and describes a cross-site request forgery (CSRF) vulnerability. The CVE entry notes that attackers can trigger commands via a malicious site request forgery, with NVD metrics indicating notable impact (CVSS v3.1: High, with Network exposure, no privileges requ...
CVE-2025-24021
CVE-2025-24021 affects iTop (web-based IT Service Management). Prior to fixes, any account with portal access could set values on object fields that should not be modifiable. Affected versions: 2.7.11 or earlier? The initial docs list vulnerable versions as 2.7.12, 3.1.3, and 3.2.1 that contain f...
CVE-2023-48709
CVE-2023-48709 – iTop formula/CSV export vulnerability : Combodo iTop exports data to CSV/Excel; inputs in exported files may contain malicious formulas. If opened in Excel, this could lead to remote code execution (noted for Excel 2016). Affected versions are iTop prior to the fixed releases. Re...
CVE-2024-52002
Combodo iTop is affected by a Cross-Site Request Forgery (CSRF) across multiple endpoints. The CVE describes CSRF in several iTop pages, with an explicit fix in version 3.2.0; all users are advised to upgrade. The public sources indicate there are no known workarounds. Connected references corrob...
CVE-2020-12780
CVE-2020-12780 stems from a security misconfiguration in Combodo iTop exposing sensitive information. Connected advisories describe related, concrete iTop flaws affecting multiple versions and modules: XSS in dashlets/dashboard editor (pre-3.0.4/3.1.1), full path disclosure in dashboard config, a...
CVE-2024-31448
CVE-2024-31448 is a Cross-site Scripting (XSS) vulnerability in Combodo iTop triggered by malicious CSV content during import. Affected software is Combodo iTop (web-based IT Service Management). The issue is fixed in versions 3.1.2 and 3.2.0; users should upgrade to one of these versions or late...
CVE-2023-34445
Combodo iTop contains a cross-site scripting (XSS) vulnerability in the pages/ajax.render.php endpoint. The issue affects rendering of pages and allows script execution outside of script tags. Remediation is to upgrade to fixed versions: 2.7.9, 3.0.4, or 3.1.0. There are no workarounds documented...
CVE-2020-12778
CVE-2020-12778 concerns Combodo iTop (IT service management). The initial description states input validation failures allow command injection and XSS. Connected documents elaborate multiple iTop-XSS/credential issues across versions and components: dashboard editor and dashlets can load files/UR...
CVE-2023-45808
CVE-2023-45808 – iTop silo check bypass Affected software: Combodo iTop (IT service management platform). Issue: When creating or updating objects, extkey values aren’t checked against the current user silo, allowing forged HTTP requests to reference out-of-silo objects (e.g., a UserRequest in an...
CVE-2023-34443
CVE-2023-34443 describes a Cross-site Scripting (XSS) vulnerability in Combodo iTop, specifically on the Run queries page (run_query.php). Affected versions are prior to 2.7.9, prior to 3.0.4, and prior to 3.1.0. The issue is fixed in versions 2.7.9, 3.0.4, and 3.1.0; upgrading to these versions ...
CVE-2020-12779
CVE-2020-12779 concerns a stored XSS in Combodo iTop via uploading a file containing malicious script. The connected advisories corroborate repeated iTop XSS issues across multiple versions and components (e.g., UI and dashboard-related paths) with affected versions including pre-3.0.4, pre-3.1.1...
CVE-2022-39216
CVE-2022-39216 affects Combodo iTop. Before versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter, which may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1. Vectors/exploitation details beyond this are not provided in the ac...
CVE-2024-51993
CVE-2024-51993 affects Combodo iTop (pre-3.2.0) where passwords for misconfigured users are stored in cleartext and can be read if an attacker gains access to backups or the database. The issue is mitigated by upgrading to version 3.2.0 or later. If upgrading is not possible, encryption of backup...
CVE-2024-51995
Combodo iTop is affected by a logic bug in ajax.render.php that allows bypassing backOffice access control by crafting arbitrary routes, unless an allowed operation is specified. The issue is resolved in version 3.2.0 by applying the same access-control pattern used in UI.php to ajax.render.php, ...
CVE-2024-52000
CVE-2024-52000 affects Combodo iTop (prior to version 3.2.0): a reflected Cross-site Scripting (XSS) vulnerability triggered by editing a request payload, potentially enabling malicious JavaScript execution. The issue is mitigated in version 3.2.0 via systematic escaping of error messages when re...
CVE-2021-32663
CVE-2021-32663 affects the iTop open source ITSM tool. The vulnerability allows an attacker to call the system setup without authentication, and with specific parameters may lead to SSRF. Remediation per the linked sources is to upgrade to versions where the issue is fixed: iTop 2.6.5 and 2.7.5 a...
CVE-2025-24969
CVE-2025-24969 affects iTop, a web-based IT service management tool. The vulnerability is present in versions prior to 3.2.1, where a portal user can view other contacts’ pictures by changing the picture ID in the URL. Version 3.2.1 includes a patch for this issue. The documented impact is privac...
CVE-2021-21406
CVE-2021-21406 affects Combodo iTop, a web-based IT service management tool. In versions before 2.7.4, there is a command injection vulnerability in the Setup Wizard triggered by providing the Graphviz executable path. Root cause is input handling in the setup flow that allows executing system co...
CVE-2023-47622
CVE-2023-47622 affects the iTop IT service management platform. According to multiple sources, when dashlets are refreshed, an XSS vulnerability can be triggered due to inadequate input handling in the dashboard/dashlet context. The vulnerability is fixed in versions 3.0.4 and 3.1.1. Reports from...
CVE-2024-51994
Affected software: Combodo iTop (web-based IT Service Management). Vulnerability: Cross-site Scripting (XSS) triggered by uploading a text file containing JavaScript in the portal. Root cause / details: The issue exists in versions prior to 3.2.0; uploading a crafted text file enables script exec...
CVE-2020-15219
Combodo iTop vulnerable component: when a download error occurs in the user portal, an SQL query is exposed to the user. Root cause: error path reveals internal SQL. Affected versions: iTop before 2.7.2 and before 3.0.0. Impact per sources: potential information disclosure of the query; no exploi...
CVE-2021-21407
Combodo iTop (open source ITSM) has a CSRF token validation bypass vulnerability in releases prior to 2.7.4, with a patch in 2.7.4 and 3.0.0. The issue allows bypass via a crafted browser procedure through the iTop portal; exploitation status and affected upload are not detailed beyond the patch ...
CVE-2023-44396
CVE-2023-44396 affects Combodo iTop, where dashlet edits via ajax endpoints can be exploited to trigger cross-site scripting (XSS). The issue is fixed in iTop releases 2.7.10, 3.0.4, and 3.1.1; affected are prior builds of those lines. Root cause: unsanitized or improperly handled input in dashle...
CVE-2024-52001
CVE-2024-52001 affects Combodo iTop, a web-based IT Service Management tool. The issue allows portal users to access information about prohibited/forbidden services in affected releases. Public sources consistently state upgrades address the vulnerability, with remediation to version 3.2.0 or lat...
CVE-2024-52601
CVE-2024-52601 – iTop portal exposure is a read-access flaw in the web-based IT Service Management tool iTop. Prior to versions 2.7.12, 3.1.3, and 3.2.1, accounts with portal access could read objects they are not permitted to see by querying an unprotected route (Insecure Direct Object Reference...
CVE-2025-24026
CVE-2025-24026 concerns iTop, a web-based ITSM tool. Versions prior to 3.2.1 are vulnerable to a regular expression denial of service (ReDoS) that may affect the iTop server under certain circumstances; the issue stems from using an affected variable in a regex. Version 3.2.1 does not use the vul...
CVE-2024-56157
Summary: CVE-2024-56157 affects iTop before versions 3.1.3 and 3.2.1, where inserting malicious code into a CSV during import enables a cross-site scripting (XSS) attack. Affected software: iTop (web-based IT Service Management tool; Combodo). Root cause / vector: CSV import accepts unvalidated/m...
CVE-2020-4079
CVE-2020-4079 affects Combodo iTop prior to 2.7.2 and 2.8.0 where the ajax endpoint for the Excel export portal could be accessed directly, bypassing scope filtering and exposing data to users who should not have access. Root cause: missing access control on the Excel export data retrieval. Impac...