CVE-2021-41245

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by `privUITransactionFile` aren't properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop config file.
Configurations

Configuration 1 (hide)

cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*

History

13 Apr 2022, 19:57

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 5.8
v3 : 8.1
CPE cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*
References (MISC) https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae - (MISC) https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae - Exploit, Third Party Advisory
References (MISC) https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186 - (MISC) https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf - (CONFIRM) https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf - Mitigation, Third Party Advisory

05 Apr 2022, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-04-05 15:15

Updated : 2024-02-04 22:29


NVD link : CVE-2021-41245

Mitre link : CVE-2021-41245

CVE.ORG link : CVE-2021-41245


JSON object : View

Products Affected

combodo

  • itop
CWE
CWE-352

Cross-Site Request Forgery (CSRF)