9.6

CVE-2024-54139

Combodo iTop vulnerable to XSS leading to CSRF breach on _table_id parameter

Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a cross-site scripting vulnerability that can lead to cross-site request forgery on the `_table_id` parameter. Versions 2.7.11, 3.1.2, and 3.2.0 contain a patch for the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CombodoItop Version < 2.7.11
CombodoItop Version >= 3.0.0 < 3.1.2
CombodoItop Version3.2.0 Updatealpha1
CombodoItop Version3.2.0 Updatebeta1
CombodoItop Version3.2.0 Updaterc1
CombodoItop Version3.2.0 Updaterc2
CombodoItop Version3.2.0 Updaterc3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.106
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.6 2.8 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
security-advisories@github.com 7.9 1.3 6
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/Combodo/iTop/security/advisories/GHSA-jmv2-wfh5-h5wg
Vendor Advisory