cbcvebase.

Combodo Itop vulnerabilities

81 known vulnerabilities affecting combodo/itop.

Total CVEs
81
CISA KEV
0
Public exploits
4
Exploited in wild
2
Severity breakdown
CRITICAL3HIGH22MEDIUM55LOW1

Vulnerabilities

Page 4 of 5
CVE-2020-12778P4MEDIUMCVSS 6.1fixed in 2.7.1v3.0.0+1 more2020-08-10
CVE-2020-12778 [MEDIUM] CWE-79 CVE-2020-12778: Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and laun Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
nvd
CVE-2023-34443P4MEDIUMCVSS 6.1fixed in 2.7.9≥ 3.0.0, < 3.0.4+1 more2024-11-05
CVE-2023-34443 [MEDIUM] CWE-79 CVE-2023-34443: Combodo iTop is a simple, web based IT Service Management tool. When displaying page Run queries Cro Combodo iTop is a simple, web based IT Service Management tool. When displaying page Run queries Cross-site Scripting (XSS) are possible for scripts outside of script tags. This has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
nvd
CVE-2023-34444P4MEDIUMCVSS 6.1fixed in 2.7.9≥ 3.0.0, < 3.0.4+1 more2024-11-05
CVE-2023-34444 [MEDIUM] CWE-79 CVE-2023-34444: Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.searchfor Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.searchform.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
nvd
CVE-2023-34445P4MEDIUMCVSS 6.1fixed in 2.7.9≥ 3.0.0, < 3.0.4+1 more2024-11-05
CVE-2023-34445 [MEDIUM] CWE-79 CVE-2023-34445: Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.render.ph Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.render.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
nvd
CVE-2022-24811P4MEDIUMCVSS 5.4fixed in 2.7.62022-04-05
CVE-2022-24811 [MEDIUM] CWE-79 CVE-2022-24811: Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-sit Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.
nvd
CVE-2020-15221P4MEDIUMCVSS 5.4fixed in 2.7.2v3.0.02021-01-13
CVE-2020-15221 [MEDIUM] CWE-79 CVE-2020-15221: Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0.
nvd
CVE-2023-47123P4MEDIUMCVSS 5.4≥ 3.1.0, < 3.1.1v>= 3.1.0, < 3.1.12024-04-15
CVE-2023-47123 [MEDIUM] CWE-79 CVE-2023-47123: iTop is an IT service management platform. By filling malicious code in an object friendlyname / co iTop is an IT service management platform. By filling malicious code in an object friendlyname / complementary name, an XSS attack can be performed when this object will displayed as an n:n relation item in another object. This vulnerability is fixed in 3.1.1 and 3.2.0.
nvd
CVE-2025-27139P4MEDIUMCVSS 5.4fixed in 2.7.12≥ 3.0.0, < 3.1.2+3 more2025-02-25
CVE-2025-27139 [MEDIUM] CWE-79 CVE-2025-27139: Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 a Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 are vulnerable to cross-site scripting when the preferences page is opened. Versions 2.7.12, 3.1.2, and 3.2.0 fix the issue.
nvd
CVE-2025-24969P4MEDIUMCVSS 5.0fixed in 3.2.12025-05-14
CVE-2025-24969 [MEDIUM] CWE-639 CVE-2025-24969: iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any o iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue.
nvd
CVE-2019-13966P4MEDIUMCVSS 6.1≤ 2.6.02020-02-14
CVE-2019-13966 [MEDIUM] CVE-2019-13966: In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML f In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).
nvd
CVE-2020-11696P4MEDIUMCVSS 6.1fixed in 2.6.4fixed in 2.7.02020-06-05
CVE-2020-11696 [MEDIUM] CWE-79 CVE-2020-11696: In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in al In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
nvd
CVE-2020-11697P4MEDIUMCVSS 6.1fixed in 2.6.4fixed in 2.7.02020-06-05
CVE-2020-11697 [MEDIUM] CWE-79 CVE-2020-11697: In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
nvd
CVE-2020-12779P4MEDIUMCVSS 5.4fixed in 2.7.0v2.7.0+1 more2020-08-10
CVE-2020-12779 [MEDIUM] CWE-79 CVE-2020-12779: Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploadin Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
nvd
CVE-2025-48878P4MEDIUMCVSS 4.3≥ 3.0.0, < 3.2.2v>= 3.0.0-alpha, < 3.2.22025-11-10
CVE-2025-48878 [MEDIUM] CWE-862 CVE-2025-48878: Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2 Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue.
nvd
CVE-2021-32664P4MEDIUMCVSS 4.8fixed in 2.6.5≥ 2.7.0, < 2.7.5+1 more2021-10-19
CVE-2021-32664 [MEDIUM] CWE-79 CVE-2021-32664: Combodo iTop is an open source web based IT Service Management tool. In affected versions there is a Combodo iTop is an open source web based IT Service Management tool. In affected versions there is a XSS vulnerability on "run query" page when logged as administrator. This has been resolved in versions 2.6.5 and 2.7.5.
nvd
CVE-2023-38511P4MEDIUMCVSS 4.3≥ 3.0.0, < 3.0.4≥ 3.1.0, < 3.1.1+2 more2024-04-15
CVE-2023-38511 [MEDIUM] CWE-22 CVE-2023-38511: iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.
nvd
CVE-2020-15219P4MEDIUMCVSS 4.3fixed in 2.7.2v3.0.02021-01-13
CVE-2020-15219 [MEDIUM] CWE-209 CVE-2020-15219: Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, whe Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, when a download error is triggered in the user portal, an SQL query is displayed to the user. This is fixed in versions 2.7.2 and 3.0.0.
nvd
CVE-2024-52001P4MEDIUMCVSS 4.3fixed in 3.2.02024-11-08
CVE-2024-52001 [MEDIUM] CWE-200 CVE-2024-52001: Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users ar Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users are able to access forbidden services information. This issue has been addressed in version 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
nvd
CVE-2025-24785P4MEDIUMCVSS 4.3≥ 3.2.0, < 3.2.1v= 3.2.02025-05-14
CVE-2025-24785 [MEDIUM] CWE-20 CVE-2025-24785: iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The next user trying to load this dashboard would encounter a crashed start page. Version 3.2.1 fixes the issue by checking the provided layout_class before saving the dashboard.
nvd
CVE-2013-0805P4MEDIUMCVSS 4.3≤ 2.0v0.7.1+14 more2014-03-20
CVE-2013-0805 [MEDIUM] CWE-79 CVE-2013-0805: Multiple cross-site scripting (XSS) vulnerabilities in the search feature in iTop (aka IT Operations Multiple cross-site scripting (XSS) vulnerabilities in the search feature in iTop (aka IT Operations Portal) 2.0, 1.2.1, 1.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to pages/UI.php or (2) expression parameter to pages/run_query.php. NOTE: some of these details are obtained from third party i
nvd
Combodo Itop vulnerabilities | cvebase