CVE-2024-51740

EPSS 0.53%
Veröffentlicht 05.11.2024 19:15:08
Zuletzt bearbeitet 08.11.2024 21:09:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

SSRF through arbitrary PHP class instantiation in the user portal in Combodo iTop

Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf of the server, from a low privileged user. The user portal form manager has been fixed to only instantiate classes derived from it. This issue has been addressed in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Combodo ≫ Itop Version < 2.7.11

Combodo ≫ Itop Version >= 3.0.0 < 3.0.5

Combodo ≫ Itop Version >= 3.1.0 < 3.1.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.53%	0.404

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/Combodo/iTop/security/advisories/GHSA-w9g8-mxm5-ph62

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-51740

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-51740

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-51740

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-51740