CVE-2015-6544
published 2018-02-20CVE-2015-6544: Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary…
PriorityP337medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
5.48%
91.8th percentile
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| combodo | itop | < 2.2.0-2459 | 2.2.0-2459 |
| combodo | itop | <= 2.6.0 | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-48xc-xhjj-x9r7: In iTop through 2
ghsa_unreviewed·2022-05-24·CVSS 6.1
CVE-2019-13966 [MEDIUM] GHSA-48xc-xhjj-x9r7: In iTop through 2
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).
GHSA
GHSA-qg2x-67vv-3x5w: Cross-site scripting (XSS) vulnerability in application/dashboard
ghsa_unreviewed·2022-05-14
CVE-2015-6544 [MEDIUM] CWE-79 GHSA-qg2x-67vv-3x5w: Cross-site scripting (XSS) vulnerability in application/dashboard
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title.
No detection rules found.
Nuclei
Combodo iTop <2.2.0-2459 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2015-6544 [MEDIUM] Combodo iTop <2.2.0-2459 - Cross-Site Scripting
Combodo iTop alert(document.domain)'
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 490a0046304402201bc8c64af26eadde74573e5fa5616fbb04e126c3606ca603c343a417a6fb82a802206907319c79feb2398dae96fd90a95d758e308b921b1fc6c8726f19e80cd6dec3:922c64590222798bb761d5b6d8e72950
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2019-13966 itop: XSS in XML file used to build the dashboard
bugzilla·2020-04-15·CVSS 6.1
CVE-2019-13966 [MEDIUM] CVE-2019-13966 itop: XSS in XML file used to build the dashboard
CVE-2019-13966 itop: XSS in XML file used to build the dashboard
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).
Reference:
https://0day.love/itop_vulnerabilities_disclosure.pdf
https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log
Discussion:
Created itop tracking bugs for this issue:
Affects: fedora-all [bug 1824083]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
2018-02-20
Published