Combodo Itop vulnerabilities
81 known vulnerabilities affecting combodo/itop.
Total CVEs
81
CISA KEV
0
Public exploits
4
Exploited in wild
2
Severity breakdown
CRITICAL3HIGH22MEDIUM55LOW1
Vulnerabilities
Page 2 of 5
CVE-2024-31998P3HIGHCVSS 8.8fixed in 3.1.22024-11-05
CVE-2024-31998 [HIGH] CWE-352 CVE-2024-31998: Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV impor
Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
nvd
CVE-2019-11215P3HIGHCVSS 8.1≥ 2.2.0, ≤ 2.4.0≥ 2.4.1, ≤ 2.6.02020-02-14
CVE-2019-11215 [HIGH] CWE-79 CVE-2019-11215: In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitr
In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload. Many conditions can place the configuration file into a writable state: during installation; during upgrade; in certain cases, an error during modification of the
nvd
CVE-2024-51995P3HIGHCVSS 7.1fixed in 3.2.02024-11-07
CVE-2024-51995 [HIGH] CWE-284 CVE-2024-51995: Combodo iTop is a web based IT Service Management tool. An attacker can request any `route` we want
Combodo iTop is a web based IT Service Management tool. An attacker can request any `route` we want as long as we specify an `operation` that is allowed. This issue has been addressed in version 3.2.0 by applying the same access control pattern as in `UI.php` to the `ajax.render.php` page which does not allow arbitrary `routes` to be dispatched. All us
nvd
CVE-2021-32776P3HIGHCVSS 8.8fixed in 2.7.4v3.0.02021-07-21
CVE-2021-32776 [HIGH] CWE-352 CVE-2021-32776: Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0.
nvd
CVE-2023-47489P3HIGHCVSS 7.8v3.1.0-2-119732023-11-09
CVE-2023-47489 [HIGH] CVE-2023-47489: CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute ar
CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute arbitrary code via a crafted script to the export-v2.php and ajax.render.php components.
nvd
CVE-2024-52601P3MEDIUMCVSS 6.5fixed in 2.7.12≥ 3.0.0, < 3.1.3+3 more2025-05-14
CVE-2024-52601 [MEDIUM] CWE-639 CVE-2024-52601: iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone
iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they're not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.
nvd
CVE-2021-41245P3HIGHCVSS 8.1fixed in 2.7.62022-04-05
CVE-2021-41245 [HIGH] CWE-352 CVE-2021-41245: Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF t
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by `privUITransactionFile` aren't properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop config file.
nvd
CVE-2020-12780P3HIGHCVSS 7.5fixed in 2.7.1≤ 2.7.0-beta22020-08-10
CVE-2020-12780 [HIGH] CWE-863 CVE-2020-12780: A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
nvd
CVE-2025-49145P3MEDIUMCVSS 6.5fixed in 2.7.13≥ 3.0.0, < 3.2.2+1 more2025-11-10
CVE-2025-49145 [MEDIUM] CWE-863 CVE-2025-49145: Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a use
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature.
nvd
CVE-2020-12781P3HIGHCVSS 8.8fixed in 2.7.1v3.0.0+1 more2020-08-10
CVE-2020-12781 [HIGH] CWE-352 CVE-2020-12781: Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute speci
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.
nvd
CVE-2019-13967P4HIGHCVSS 7.5≥ 2.2.0, ≤ 2.6.02020-02-14
CVE-2019-13967 [HIGH] CVE-2019-13967: iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) v
iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile URI. This only affects the community version.
nvd
CVE-2021-32775P4MEDIUMCVSS 6.5fixed in 2.7.4v3.0.02021-07-21
CVE-2021-32775 [MEDIUM] CWE-209 CVE-2021-32775: Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/field values through GroupBy Dashlet error message. This issue is fixed in versions 2.7.4 and 3.0.0.
nvd
CVE-2020-15218P4MEDIUMCVSS 6.8fixed in 2.7.2v3.0.02021-01-13
CVE-2020-15218 [MEDIUM] CWE-613 CVE-2020-15218: Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, adm
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their content is visible after deconnection by using the browser back button. This is fixed in versions 2.7.2 and 3.0.0.
nvd
CVE-2021-21407P4MEDIUMCVSS 6.5fixed in 2.7.42021-07-21
CVE-2021-21407 [MEDIUM] CWE-352 CVE-2021-21407: Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CS
Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CSRF token validation can be bypassed through iTop portal via a tricky browser procedure. The vulnerability is patched in version 2.7.4 and 3.0.0.
nvd
CVE-2024-56157P4MEDIUMCVSS 6.3fixed in 3.1.3≥ 3.2.0, < 3.2.1+1 more2025-05-14
CVE-2024-56157 [MEDIUM] CWE-79 CVE-2024-56157: iTop is an web based IT Service Management tool. Prior to versions 3.1.3 and 3.2.1, by filling malic
iTop is an web based IT Service Management tool. Prior to versions 3.1.3 and 3.2.1, by filling malicious code in a CSV content, a cross-site scripting attack can be performed when importing this content. The issue is fixed in versions 3.1.3 and 3.2.1. As a workaround, check CSV content before importing it.
nvd
CVE-2019-13965P4MEDIUMCVSS 6.1≤ 2.6.02020-02-14
CVE-2019-13965 [MEDIUM] CVE-2019-13965: Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTo
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (sti
nvd
CVE-2025-64167P4MEDIUMCVSS 6.1fixed in 2.7.13≥ 3.0.0, < 3.2.2+1 more2025-11-10
CVE-2025-64167 [MEDIUM] CWE-79 CVE-2025-64167: Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulne
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead.
nvd
CVE-2025-47932P4MEDIUMCVSS 6.1fixed in 2.7.13≥ 3.0.0, < 3.2.2+1 more2025-11-10
CVE-2025-47932 [MEDIUM] CWE-79 CVE-2025-47932: Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulne
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack.
nvd
CVE-2025-24026P4MEDIUMCVSS 5.3fixed in 3.2.12025-05-14
CVE-2025-24026 [MEDIUM] CWE-1333 CVE-2025-24026: iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular e
iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS) that may, under some circumstances, affect iTop server. Version 3.2.1 doesn't use the affected variable in the regular expression. As a workaround, if iTop app_root_url is defined in the configuration file, then th
nvd
CVE-2025-24021P4MEDIUMCVSS 5.0fixed in 2.7.12≥ 3.0.0, < 3.1.3+3 more2025-05-14
CVE-2025-24021 [MEDIUM] CWE-862 CVE-2025-24021: iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone
iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.
nvd