8.8

CVE-2022-24780

Exploit
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CombodoItop Version < 2.7.6
CombodoItop Version3.0.0 Updatealpha
CombodoItop Version3.0.0 Updatebeta
CombodoItop Version3.0.0 Updatebeta1
CombodoItop Version3.0.0 Updatebeta2
CombodoItop Version3.0.0 Updatebeta3
CombodoItop Version3.0.0 Updatebeta4
CombodoItop Version3.0.0 Updatebeta5
CombodoItop Version3.0.0 Updatebeta6
CombodoItop Version3.0.0 Updatebeta7
CombodoItop Version3.0.0 Updatebeta8
CombodoItop Version3.0.0 Updaterc
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 20.74% 0.955
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
security-advisories@github.com 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.