9.3

CVE-2021-41162

Cross-site Scripting in Combodo iTop

Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CombodoItop Version <= 2.7.6
CombodoItop Version3.0.0 Updatebeta
CombodoItop Version3.0.0 Updatebeta1
CombodoItop Version3.0.0 Updatebeta2
CombodoItop Version3.0.0 Updatebeta3
CombodoItop Version3.0.0 Updatebeta4
CombodoItop Version3.0.0 Updatebeta5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.61% 0.446
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
security-advisories@github.com 9.3 2.8 5.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/Combodo/iTop/commit/83125d9ae16cfb2527b9d0ab0805a68b863244a0
Patch
Third Party Advisory
https://github.com/Combodo/iTop/security/advisories/GHSA-w5jw-hfvp-gx95
Third Party Advisory