VYPR

Itop

by Combodo

Source repositories

CVEs (77)

  • CVE-2018-10642HigMay 2, 2018
    risk 0.47cvss 7.2epss 0.07

    Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the…

  • CVE-2015-6544MedFeb 20, 2018
    risk 0.33cvss 6.1epss 0.05

    Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title.

  • CVE-2011-4275Nov 26, 2011
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted…

  • CVE-2024-51739Nov 5, 2024
    risk 0.02cvss epss 0.01

    Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This…

  • CVE-2024-32870Nov 4, 2024
    risk 0.02cvss epss 0.01

    Combodo iTop is a simple, web based IT Service Management tool. Server, OS, DBMS, PHP, and iTop info (name, version and parameters) can be read by anyone having access to iTop URI. This issue has been patched in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to…

  • CVE-2022-39214Mar 14, 2023
    risk 0.02cvss epss 0.26

    Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1.

  • CVE-2024-52002Nov 8, 2024
    risk 0.01cvss epss 0.01

    Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised…

  • CVE-2025-64167Nov 10, 2025
    risk 0.00cvss epss 0.00

    Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use…

  • CVE-2025-49145Nov 10, 2025
    risk 0.00cvss epss 0.00

    Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature.

  • CVE-2025-48878Nov 10, 2025
    risk 0.00cvss epss 0.00

    Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn't be able to do so. Version…

  • CVE-2025-48065Nov 10, 2025
    risk 0.00cvss epss 0.00

    Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content.

  • CVE-2025-48055Nov 10, 2025
    risk 0.00cvss epss 0.00

    Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user portal, a cross-site scripting attack can occur. This is fixed in versions 3.2.2 and 3.3.0.

  • CVE-2025-47932Nov 10, 2025
    risk 0.00cvss epss 0.00

    Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack.

  • CVE-2025-47773Nov 10, 2025
    risk 0.00cvss epss 0.00

    Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is edited via an AJAX call. Versions 2.7.13 and 3.2.2 protect rendered HTML content.

  • CVE-2025-47286Nov 10, 2025
    risk 0.00cvss epss 0.00

    Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a…

  • CVE-2025-24969May 14, 2025
    risk 0.00cvss epss 0.00

    iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue.

  • CVE-2025-24785May 14, 2025
    risk 0.00cvss epss 0.00

    iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The next user trying to load this dashboard would encounter a crashed start page. Version 3.2.1 fixes the issue by checking the provided…

  • CVE-2025-24026May 14, 2025
    risk 0.00cvss epss 0.00

    iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS) that may, under some circumstances, affect iTop server. Version 3.2.1 doesn't use the affected variable in the regular expression. As a…

  • CVE-2025-24022May 14, 2025
    risk 0.00cvss epss 0.01

    iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1.

  • CVE-2025-24021May 14, 2025
    risk 0.00cvss epss 0.00

    iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.

Page 1 of 4