Cross-Site Request Forgery Vulnerability in Combodo iTop Prior to Versions 2.7.11, 3.1.2, and 3.2.0
CVE-2024-54139

9.6CRITICAL

Key Information:

Vendor: Combodo
Status: Itop
Vendor: CVE Published:; 13 December 2024

What is CVE-2024-54139?

The vulnerable versions of Combodo iTop, an open source and web-based IT service management platform, are affected by a cross-site scripting issue that exploits the _table_id parameter. This vulnerability poses security risks by potentially allowing attackers to perform cross-site request forgery, impacting the integrity and security of user sessions. Patches are available in versions 2.7.11, 3.1.2, and 3.2.0 to mitigate these risks and enhance the overall security posture of the platform.

Affected Version(s)

iTop < 2.7.11 < 2.7.11

iTop >= 3.0.0-alpha, < 3.1.2 < 3.0.0-alpha, 3.1.2

iTop >= 3.2.0-alpha1, < 3.2.0 < 3.2.0-alpha1, 3.2.0

References

https://github.com/Combodo/iTop/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2024
Vulnerability Reserved
Nov 29, 2024