Combodo Itop vulnerabilities
81 known vulnerabilities affecting combodo/itop.
Total CVEs
81
CISA KEV
0
Public exploits
4
Exploited in wild
2
Severity breakdown
CRITICAL3HIGH22MEDIUM55LOW1
Vulnerabilities
Page 1 of 5
CVE-2024-32870P1MEDIUMCVSS 5.8ExploitedPoCfixed in 2.7.11≥ 3.0.0, < 3.0.5+3 more2024-11-05
CVE-2024-32870 [MEDIUM] CWE-200 CVE-2024-32870: Combodo iTop is a simple, web based IT Service Management tool. Server, OS, DBMS, PHP, and iTop info
Combodo iTop is a simple, web based IT Service Management tool. Server, OS, DBMS, PHP, and iTop info (name, version and parameters) can be read by anyone having access to iTop URI. This issue has been patched in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
nvd
CVE-2011-4275P2MEDIUMCVSS 4.3ExploitedPoCv1.1.181v1.2.02011-11-26
CVE-2011-4275 [MEDIUM] CWE-79 CVE-2011-4275: Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1
Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action
nvd
CVE-2022-24780P2HIGHCVSS 8.8fixed in 2.7.6v3.0.02022-04-05
CVE-2022-24780 [HIGH] CWE-94 CVE-2022-24780: Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workaround
nvd
CVE-2022-39214P3HIGHCVSS 7.5fixed in 2.7.8fixed in 3.0.2-1+1 more2023-03-14
CVE-2022-39214 [HIGH] CWE-863 CVE-2022-39214: Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 an
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1.
nvd
CVE-2015-6544P3MEDIUMCVSS 6.1PoCfixed in 2.2.0-24592018-02-20
CVE-2015-6544 [MEDIUM] CWE-79 CVE-2015-6544: Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop befo
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title.
nvd
CVE-2025-24022P3HIGHCVSS 8.5fixed in 2.7.12≥ 3.0.0, < 3.1.3+3 more2025-05-14
CVE-2025-24022 [HIGH] CWE-78 CVE-2025-24022: iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server
iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1.
nvd
CVE-2024-51739P3MEDIUMCVSS 5.3PoCfixed in 2.7.11≥ 3.0.0, < 3.0.5+3 more2024-11-05
CVE-2024-51739 [MEDIUM] CWE-200 CVE-2024-51739: Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform use
Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This fix is included in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are adv
nvd
CVE-2021-21406P3HIGHCVSS 8.8fixed in 2.7.4v2.7.5+1 more2021-07-21
CVE-2021-21406 [HIGH] CWE-77 CVE-2021-21406: Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, th
Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vulnerability in the Setup Wizard when providing Graphviz executable path. The vulnerability is patched in version 2.7.4 and 3.0.0.
nvd
CVE-2024-51740P3HIGHCVSS 8.8fixed in 2.7.11≥ 3.0.0, < 3.0.5+3 more2024-11-05
CVE-2024-51740 [HIGH] CWE-918 CVE-2024-51740: Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to cr
Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf of the server, from a low privileged user. The user portal form manager has been fixed to only instantiate classes derived from it. This issue has been addressed in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised
nvd
CVE-2022-39216P3CRITICALCVSS 9.8fixed in 2.7.8fixed in 3.0.2-1+1 more2023-03-14
CVE-2022-39216 [CRITICAL] CWE-330 CVE-2022-39216: Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 an
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1.
nvd
CVE-2018-10642P3HIGHCVSS 7.2≤ 2.4.12018-05-02
CVE-2018-10642 [HIGH] CWE-94 CVE-2018-10642: Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to
Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval().
nvd
CVE-2023-48710P3CRITICALCVSS 9.8fixed in 2.7.10≥ 3.0.0, < 3.0.4+3 more2024-04-15
CVE-2023-48710 [CRITICAL] CWE-552 CVE-2023-48710: iTop is an IT service management platform. Files from the `env-production` folder can be retrieved
iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module.
The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other f
nvd
CVE-2019-19821P3HIGHCVSS 8.1fixed in 2.72020-03-16
CVE-2019-19821 [HIGH] CWE-79 CVE-2019-19821: A post-authentication privilege escalation in the web application of Combodo iTop allows regular aut
A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3
nvd
CVE-2025-47286P3HIGHCVSS 7.2fixed in 2.7.13≥ 3.0.0, < 3.2.2+1 more2025-11-10
CVE-2025-47286 [HIGH] CWE-74 CVE-2025-47286: Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an ad
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it.
nvd
CVE-2021-32663P3HIGHCVSS 7.5fixed in 2.6.5≥ 2.7.0, < 2.7.5+1 more2021-10-19
CVE-2021-32663 [HIGH] CWE-918 CVE-2021-32663: iTop is an open source web based IT Service Management tool. In affected versions an attacker can ca
iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later
nvd
CVE-2020-4079P3HIGHCVSS 7.7fixed in 2.7.2v2.7.32021-01-12
CVE-2020-4079 [HIGH] CWE-200 CVE-2020-4079: Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, whe
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the "excel export" portal functionality is called directly it allows getting data without scope filtering. This allows a user to access data they which they should not have access to. This is fixed in versions 2.7.2 and 3.0.0.
nvd
CVE-2023-48709P3HIGHCVSS 8.0fixed in 2.7.9≥ 3.0.0, < 3.0.4+3 more2024-04-15
CVE-2023-48709 [HIGH] CWE-74 CVE-2023-48709: iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.
nvd
CVE-2024-52002P3HIGHCVSS 8.8fixed in 3.2.02024-11-08
CVE-2024-52002 [HIGH] CWE-352 CVE-2024-52002: Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to
Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
nvd
CVE-2020-12777P3HIGHCVSS 7.5fixed in 2.7.1v3.0.0+1 more2020-08-10
CVE-2020-12777 [HIGH] CWE-200 CVE-2020-12777: A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthori
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
nvd
CVE-2024-54139P3CRITICALCVSS 9.6fixed in 2.7.11≥ 3.0.0, < 3.1.2+3 more2024-12-13
CVE-2024-54139 [CRITICAL] CWE-79 CVE-2024-54139: Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.1
Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a cross-site scripting vulnerability that can lead to cross-site request forgery on the `_table_id` parameter. Versions 2.7.11, 3.1.2, and 3.2.0 contain a patch for the issue.
nvd
1 / 5Next →