CVE-2024-52002

Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*

History

07 Jan 2025, 16:43

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.6~~	v2 : unknown v3 : 8.8
First Time		Combodo itop Combodo
CPE		cpe:2.3:a:combodo:itop::::::::
References	~~() https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm -~~	() https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm - Vendor Advisory

12 Nov 2024, 13:56

Type	Values Removed	Values Added
Summary		(es) Combodo iTop es una herramienta de gestión de servicios de TI sencilla y basada en la Web. Varios endpoints de URL están sujetos a una vulnerabilidad de Cross-Site Request Forgery (CSRF). Consulte la GHSA vinculada para obtener la lista completa. Este problema se ha solucionado en la versión 3.2.0 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

08 Nov 2024, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-08 23:15

Updated : 2025-01-07 16:43

NVD link : CVE-2024-52002

Mitre link : CVE-2024-52002

CVE.ORG link : CVE-2024-52002

JSON object : View

Products Affected

combodo

itop

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2024-52002", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-11-08T23:15:04.410", "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-xr4x-xq7v-7gqm", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Combodo iTop es una herramienta de gesti\u00f3n de servicios de TI sencilla y basada en la Web. Varios endpoints de URL est\u00e1n sujetos a una vulnerabilidad de Cross-Site Request Forgery (CSRF). Consulte la GHSA vinculada para obtener la lista completa. Este problema se ha solucionado en la versi\u00f3n 3.2.0 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2025-01-07T16:43:28.527", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A59157AC-6016-4FB6-A3BD-08EAB161CF96", "versionEndExcluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}