RSS   Vulnerabilities for 'ITOP'   RSS

2020-08-10
 
CVE-2020-12781

CWE-352
 

 
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.

 
 
CVE-2020-12780

CWE-200
 

 
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.

 
 
CVE-2020-12779

CWE-79
 

 
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.

 
 
CVE-2020-12778

CWE-79
 

 
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.

 
 
CVE-2020-12777

CWE-200
 

 
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.

 
2020-06-05
 
CVE-2020-11696

CWE-79
 

 
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.

 
 
CVE-2020-11697

CWE-79
 

 
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.

 
2020-03-16
 
CVE-2019-19821

CWE-269
 

 
A post-authentication privilege escalation in the web application of Combodo iTop before 2.7 allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses.

 
2020-02-14
 
CVE-2019-13967

CWE-20
 

 
iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile URI. This only affects the community version.

 
 
CVE-2019-13966

CWE-79
 

 
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).

 


Copyright 2020, cxsecurity.com

 

Back to Top