CVE-2022-31402

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in iTop (IT Operations Portal) version 3.0.1, in the /itop/webservices/export-v2.php endpoint. The vulnerability occurs when user-supplied input is not properly sanitized before being reflected in the output, allowing an attacker to inject arbitrary HTML or JavaScript code. The endpoint is part of the export functionality in iTop.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing the XSS payload and tricking a logged-in iTop user into clicking it. No special authentication or network position beyond standard web access is required, but the victim must be authenticated to the iTop application for the vulnerable script to process the request.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of session cookies, impersonation of the user, and manipulation of the application's interface, potentially compromising the confidentiality and integrity of data accessible through iTop.

Mitigation

As of the latest available advisories, no official fix has been released for iTop v3.0.1. Users should monitor the project's release notes [1][2] and apply updates as they become available. Restricting access to the /itop/webservices/ directory and implementing web application firewall (WAF) rules to block XSS payloads may provide temporary mitigation.