CVE-2024-52000

Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg

Configurations

No configuration.

History

12 Nov 2024, 13:56

Type	Values Removed	Values Added
Summary		(es) Combodo iTop es una herramienta de gestión de servicios de TI sencilla y basada en la web. Las versiones afectadas están sujetas a una vulnerabilidad de tipo Cross-site Scripting (XSS) que se ve reflejada al editar el payload de una solicitud, lo que puede provocar la ejecución de JavaScript malicioso. Este problema se ha solucionado en la versión 3.2.0 mediante el escape sistemático de mensajes de error al mostrarse en la página. Se recomienda a todos los usuarios que actualicen la versión. No existen workarounds para esta vulnerabilidad.

08 Nov 2024, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-08 23:15

Updated : 2024-11-12 13:56

NVD link : CVE-2024-52000

Mitre link : CVE-2024-52000

CVE.ORG link : CVE-2024-52000

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

8.1 /10