CVE-2023-45808

EPSS 0.34%
Veröffentlicht 15.04.2024 18:15:08
Zuletzt bearbeitet 06.02.2025 20:58:02
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

iTop missing silo check on extkey in console and portal

iTop is an IT service management platform.  When creating or updating an object, extkey values aren't checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Combodo ≫ Itop Version < 2.7.10

Combodo ≫ Itop Version >= 3.0.0 < 3.0.4

Combodo ≫ Itop Version >= 3.1.0 < 3.1.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.34%	0.252

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	4.1	2.3	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7

Patch

https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385

Patch

https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-45808

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-45808

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-45808

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-45808