CVE-2022-24811

Exploit

EPSS 0.31%
Veröffentlicht 05.04.2022 19:15:08
Zuletzt bearbeitet 21.11.2024 06:51:09
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Combodo ≫ Itop Version < 2.7.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.536

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security-advisories@github.com	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/Combodo/iTop/commit/92a9a8c65f3cbb2cd4414ca3a3b45a5754ba57b4

Patch

Third Party Advisory

https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc

Third Party Advisory

https://huntr.dev/bounties/1625056478879-Combodo/iTop/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2022-24811

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24811

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24811

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-24811