VYPR
Unrated severityNVD Advisory· Published Nov 5, 2024· Updated Nov 5, 2024

Users enumeration allowed through Rest API in Combodo iTop

CVE-2024-51739

Description

Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This fix is included in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. Users unable to upgrade may overload the dictionary entry "UI:ResetPwd-Error-WrongLogin" through an extension and replace it with a generic message.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Combodo/Itopllm-fuzzy2 versions
    <2.7.11 | 3.0.0-3.0.4 | 3.1.0-3.1.1+ 1 more
    • (no CPE)range: <2.7.11 | 3.0.0-3.0.4 | 3.1.0-3.1.1
    • (no CPE)range: < 2.7.11

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.