CVE-2021-41161

Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*
cpe:2.3:a:combodo:itop:3.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:combodo:itop:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:combodo:itop:3.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:combodo:itop:3.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:combodo:itop:3.0.0:beta5:*:*:*:*:*:*

History

04 May 2022, 19:10

Type Values Removed Values Added
CWE CWE-79
References (CONFIRM) https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc - (CONFIRM) https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc - Third Party Advisory
References (MISC) https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22 - (MISC) https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22 - Patch, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 4.3
v3 : 6.1
CPE cpe:2.3:a:combodo:itop:3.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:combodo:itop:3.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:combodo:itop:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:combodo:itop:3.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:combodo:itop:3.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*

21 Apr 2022, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-04-21 17:15

Updated : 2024-02-04 22:29


NVD link : CVE-2021-41161

Mitre link : CVE-2021-41161

CVE.ORG link : CVE-2021-41161


JSON object : View

Products Affected

combodo

  • itop
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')