Stored Cross-site Scripting in Combodo iTop
CVE-2022-24870

8.7HIGH

Key Information:

Vendor

Combodo

Status
Itop
Vendor
CVE Published:
21 April 2022

What is CVE-2022-24870?

Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

iTop >= 3.0.0-beta, < 3.0.0-beta3

References

https://github.com/Combodo/iTop/security/advisories/GHSA-...
x_refsource_CONFIRM
https://huntr.dev/bounties/1625056040123-Combodo/iTop/?to...
x_refsource_MISC
https://www.github.com/combodo/itop/commit/ebbf6e56befda2...
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.