CVE-2024-52000

Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*

History

07 Jan 2025, 16:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:combodo:itop::::::::
First Time		Combodo itop Combodo
CVSS	v2 : ~~unknown~~ v3 : ~~8.1~~	v2 : unknown v3 : 6.1
References	~~() https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg -~~	() https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg - Vendor Advisory

12 Nov 2024, 13:56

Type	Values Removed	Values Added
Summary		(es) Combodo iTop es una herramienta de gestión de servicios de TI sencilla y basada en la web. Las versiones afectadas están sujetas a una vulnerabilidad de tipo Cross-site Scripting (XSS) que se ve reflejada al editar el payload de una solicitud, lo que puede provocar la ejecución de JavaScript malicioso. Este problema se ha solucionado en la versión 3.2.0 mediante el escape sistemático de mensajes de error al mostrarse en la página. Se recomienda a todos los usuarios que actualicen la versión. No existen workarounds para esta vulnerabilidad.

08 Nov 2024, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-08 23:15

Updated : 2025-01-07 16:52

NVD link : CVE-2024-52000

Mitre link : CVE-2024-52000

CVE.ORG link : CVE-2024-52000

JSON object : View

Products Affected

combodo

itop

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-52000", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-11-08T23:15:03.817", "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-r58g-p5r9-8hfg", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Combodo iTop es una herramienta de gesti\u00f3n de servicios de TI sencilla y basada en la web. Las versiones afectadas est\u00e1n sujetas a una vulnerabilidad de tipo Cross-site Scripting (XSS) que se ve reflejada al editar el payload de una solicitud, lo que puede provocar la ejecuci\u00f3n de JavaScript malicioso. Este problema se ha solucionado en la versi\u00f3n 3.2.0 mediante el escape sistem\u00e1tico de mensajes de error al mostrarse en la p\u00e1gina. Se recomienda a todos los usuarios que actualicen la versi\u00f3n. No existen workarounds para esta vulnerabilidad."}], "lastModified": "2025-01-07T16:52:48.723", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A59157AC-6016-4FB6-A3BD-08EAB161CF96", "versionEndExcluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}