CVE-2019-13966

Vulnerability

iTop versions through 2.6.0 are vulnerable to a stored Cross-Site Scripting (XSS) attack in the dashboard builder. The vulnerability can be triggered by injecting a malicious script into certain fields (e.g., the icon field) of the XML file used to construct the dashboard [1]. This is similar to the previously identified CVE-2015-6544, which only affected the dashboard title.

Exploitation

An attacker can exploit this vulnerability by providing a crafted dashboard XML file that includes malicious JavaScript in the affected fields. The attacker needs the ability to upload or modify dashboard XML files, or to trick a user with sufficient privileges (e.g., an administrator) into importing the malicious XML. User interaction is typically required, as the victim must view the dashboard containing the injected payload.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser. This can result in session hijacking, data theft, or unauthorized actions being performed on behalf of the victim, compromising the confidentiality, integrity, and availability of the iTop instance.

Mitigation

The vulnerability is fixed in later iTop releases. According to the official change log [1], versions 3.2.x (specifically 3.2.3 and beyond) include the necessary fix. Users are advised to upgrade to a non-vulnerable version. If upgrading is not immediately possible, access to the dashboard XML import/export feature should be restricted to trusted users only.