Filtered by vendor Combodo
Subscriptions
Total
82 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47286 | 1 Combodo | 1 Itop | 2025-11-21 | 7.2 High |
| Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it. | ||||
| CVE-2025-47773 | 1 Combodo | 1 Itop | 2025-11-21 | 8.8 High |
| Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is edited via an AJAX call. Versions 2.7.13 and 3.2.2 protect rendered HTML content. | ||||
| CVE-2025-47932 | 1 Combodo | 1 Itop | 2025-11-21 | 8.8 High |
| Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack. | ||||
| CVE-2025-48055 | 1 Combodo | 1 Itop | 2025-11-21 | 8.5 High |
| Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user portal, a cross-site scripting attack can occur. This is fixed in versions 3.2.2 and 3.3.0. | ||||
| CVE-2025-48065 | 1 Combodo | 1 Itop | 2025-11-21 | 8.8 High |
| Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content. | ||||
| CVE-2025-48878 | 1 Combodo | 1 Itop | 2025-11-21 | 4.3 Medium |
| Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue. | ||||
| CVE-2025-49145 | 1 Combodo | 1 Itop | 2025-11-21 | 8.7 High |
| Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature. | ||||
| CVE-2025-64167 | 1 Combodo | 1 Itop | 2025-11-21 | 7.1 High |
| Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead. | ||||
| CVE-2023-47489 | 1 Combodo | 1 Itop | 2025-09-29 | 7.8 High |
| CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute arbitrary code via a crafted script to the export-v2.php and ajax.render.php components. | ||||
| CVE-2023-47488 | 1 Combodo | 1 Itop | 2025-09-29 | 6.1 Medium |
| Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a crafted script to the attrib_manager_id parameter in the General Information page and the id parameter in the contact page. | ||||
| CVE-2025-24021 | 1 Combodo | 1 Itop | 2025-08-26 | 5 Medium |
| iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue. | ||||
| CVE-2025-24969 | 1 Combodo | 1 Itop | 2025-08-05 | 5 Medium |
| iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue. | ||||
| CVE-2024-52601 | 1 Combodo | 1 Itop | 2025-08-01 | 6.5 Medium |
| iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they're not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue. | ||||
| CVE-2024-56157 | 1 Combodo | 1 Itop | 2025-08-01 | 6.3 Medium |
| iTop is an web based IT Service Management tool. Prior to versions 3.1.3 and 3.2.1, by filling malicious code in a CSV content, a cross-site scripting attack can be performed when importing this content. The issue is fixed in versions 3.1.3 and 3.2.1. As a workaround, check CSV content before importing it. | ||||
| CVE-2025-24022 | 1 Combodo | 1 Itop | 2025-08-01 | 8.6 High |
| iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1. | ||||
| CVE-2025-24026 | 1 Combodo | 1 Itop | 2025-08-01 | 5.3 Medium |
| iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS) that may, under some circumstances, affect iTop server. Version 3.2.1 doesn't use the affected variable in the regular expression. As a workaround, if iTop app_root_url is defined in the configuration file, then there is no possible way to exploit this ReDoS. | ||||
| CVE-2025-24785 | 1 Combodo | 1 Itop | 2025-08-01 | 4.3 Medium |
| iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The next user trying to load this dashboard would encounter a crashed start page. Version 3.2.1 fixes the issue by checking the provided layout_class before saving the dashboard. | ||||
| CVE-2021-41161 | 1 Combodo | 1 Itop | 2025-04-23 | 9.3 Critical |
| Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2021-41162 | 1 Combodo | 1 Itop | 2025-04-23 | 9.3 Critical |
| Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2021-41245 | 1 Combodo | 1 Itop | 2025-04-22 | 6.5 Medium |
| Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by `privUITransactionFile` aren't properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop config file. | ||||