Combodo iTop's weak password reset token leads to account takeover
CVE-2022-39216

7.4HIGH

Key Information:

Vendor

Combodo

Status
Itop
Vendor
CVE Published:
14 March 2023

What is CVE-2022-39216?

Combodo iTop, an open-source IT service management platform, contains a vulnerability where the password reset token is generated without sufficient randomness. This lack of randomness can allow attackers to predict or guess the token, leading to potential account takeover. The issue has been addressed in updates to versions 2.7.8 and 3.0.2-1, ensuring a more secure token generation process.

Affected Version(s)

iTop < 2.7.8 < 2.7.8

iTop >= 3.0.0, < 3.0.2-1 < 3.0.0, 3.0.2-1

References

https://github.com/Combodo/iTop/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec...
x_refsource_MISC
https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777...
x_refsource_MISC

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.