CVE-2024-31998

Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Combodo/iTop/security/advisories/GHSA-8cwx-q4xh-7c7r	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*

History

06 Nov 2024, 14:31

Type	Values Removed	Values Added
First Time		Combodo Combodo itop
CPE		cpe:2.3:a:combodo:itop::::::::
References	~~() https://github.com/Combodo/iTop/security/advisories/GHSA-8cwx-q4xh-7c7r -~~	() https://github.com/Combodo/iTop/security/advisories/GHSA-8cwx-q4xh-7c7r - Vendor Advisory

05 Nov 2024, 16:04

Type	Values Removed	Values Added
Summary		(es) Combodo iTop es una herramienta de gestión de servicios de TI sencilla y basada en la web. Se puede ejecutar un CSRF en la simulación de importación de CSV. Este problema se ha solucionado en las versiones 3.1.2 y 3.2.0. Se recomienda a todos los usuarios que actualicen la versión. No se conocen workarounds para esta vulnerabilidad.

05 Nov 2024, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-05 00:15

Updated : 2024-11-06 14:31

NVD link : CVE-2024-31998

Mitre link : CVE-2024-31998

CVE.ORG link : CVE-2024-31998

JSON object : View

Products Affected

combodo

itop

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2024-31998", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-11-05T00:15:04.083", "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-8cwx-q4xh-7c7r", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": " Combodo iTop es una herramienta de gesti\u00f3n de servicios de TI sencilla y basada en la web. Se puede ejecutar un CSRF en la simulaci\u00f3n de importaci\u00f3n de CSV. Este problema se ha solucionado en las versiones 3.1.2 y 3.2.0. Se recomienda a todos los usuarios que actualicen la versi\u00f3n. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-11-06T14:31:46.643", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B1E5E6E-1398-4908-9D8F-25C8C667F3D2", "versionEndExcluding": "3.1.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}