iTop: XSS Vulnerability Affects Web-Based IT Service Management Tool
CVE-2023-34445

6.1MEDIUM

Key Information:

Vendor: Combodo
Status: Itop
Vendor: CVE Published:; 5 November 2024

What is CVE-2023-34445?

A cross-site scripting (XSS) vulnerability has been identified in Combodo iTop, a widely used web-based IT Service Management tool. This issue specifically arises from the improper handling of scripts in the pages/ajax.render.php component, allowing for the execution of malicious scripts that are not contained within script tags. As a result, an attacker may exploit this vulnerability to execute arbitrary code within the user's browser session. To address this risk, users are strongly encouraged to upgrade to the latest versions of iTop, specifically 2.7.9, 3.0.4, or higher, which include important security patches. Currently, there are no known workarounds for this issue, making an upgrade imperative to maintain the security integrity of the application.

Affected Version(s)

iTop < 2.7.9 < 2.7.9

iTop >= 3.0.0, < 3.0.4 < 3.0.0, 3.0.4

References

https://github.com/Combodo/iTop/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 5, 2024