9.8

CVE-2023-48710

EPSS 0.72%
Veröffentlicht 15.04.2024 18:15:09
Zuletzt bearbeitet 06.02.2025 21:03:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

iTop limit pages/exec.php script to PHP files

iTop is an IT service management platform.  Files from the `env-production` folder can be retrieved even though they should have restricted access.  Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. 
 The `pages/exec.php` script as been fixed to limit execution of PHP files only.  Other file types won't be retrieved and exposed.  The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Combodo ≫ Itop Version < 2.7.10

Combodo ≫ Itop Version >= 3.0.0 < 3.0.4

Combodo ≫ Itop Version >= 3.1.0 < 3.1.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.72%	0.49

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-552 Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26

Patch

https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-48710

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-48710

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-48710

EUVD