Cross-Site Scripting Vulnerability in Combodo iTop IT Service Management Tool
CVE-2025-64167

7.1HIGH

Key Information:

Vendor: Combodo
Status: Itop
Vendor: CVE Published:; 10 November 2025

What is CVE-2025-64167?

The Combodo iTop IT service management tool is susceptible to a cross-site scripting (XSS) vulnerability, allowing attackers to execute JavaScript in the context of a victim's browser when the URL parameter is manipulated during editing. This affects versions of iTop prior to 2.7.13 and 3.2.2, which have not yet rectified this issue. The secure versions utilize export-v2.php instead of the deprecated export.php, minimizing the risk of exploitation.

Affected Version(s)

iTop < 2.7.13 < 2.7.13

iTop >= 3.0.0-alpha, < 3.2.2 < 3.0.0-alpha, 3.2.2

References

https://github.com/Combodo/iTop/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 10, 2025
Vulnerability Reserved
Oct 28, 2025

JSON