CVE-2019-13965

## Vulnerability iTop versions through 2.6.0 contain multiple Reflective Cross-Site Scripting (XSS) vulnerabilities due to insufficient sanitization of error messages. The param_file parameter in webservices/export.php, webservices/cron.php, and env-production/itop-backup/backup.php is not properly sanitized, allowing injection of arbitrary JavaScript. The vulnerability is present in all versions up to and including 2.6.0 [1].

Exploitation

An attacker can send a crafted request containing malicious JavaScript in the param_file parameter to the vulnerable endpoints. The request does not require authentication to trigger the reflective XSS. When an administrator views the resulting error page, the injected script executes in the context of the admin's session. Because of the pre-existing CVE-2018-10642 (which remains exploitable in iTop 2.6.0), the XSS payload can be leveraged to execute arbitrary commands on the server [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the administrator's browser session. Due to the link with CVE-2018-10642, the attacker can escalate this to remote command execution on the iTop server, gaining full control over the application and underlying system. The reflective XSS can also become stored XSS within the same account via another vulnerability, potentially persisting across visits [1].

Mitigation

The iTop project has addressed these issues in version 2.7.0, released on 2020-02-20. Users should upgrade to iTop 2.7.0 or later to remediate the XSS vulnerabilities and eliminate the attack vector for CVE-2018-10642. No workarounds are documented; upgrading is the recommended action [1].