CVE-2018-10642
published 2018-05-02CVE-2018-10642: Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform…
PriorityP351high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EPSS
7.50%
93.7th percentile
Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval().
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| combodo | itop | <= 2.6.0 | — |
| combodo | itop | <= 2.4.1 | — |
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4969-q73g-ghxm: Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2
ghsa_unreviewed·2022-05-24·CVSS 7.2
CVE-2019-13965 [HIGH] GHSA-4969-q73g-ghxm: Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability.
GHSA
GHSA-w7xq-2x44-5m2x: Command injection vulnerability in Combodo iTop 2
ghsa_unreviewed·2022-05-13
CVE-2018-10642 [HIGH] CWE-94 GHSA-w7xq-2x44-5m2x: Command injection vulnerability in Combodo iTop 2
Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval().
No detection rules found.
No public exploits indexed.
2018-05-02
Published