Vulnerabilities (CVE)

Filtered by vendor Combodo Subscribe

Filtered by product Itop

Total 45 CVE

CVE	Vendors	Products	Updated	CVSS v2	CVSS v3
CVE-2019-13966	1 Combodo	1 Itop	2024-02-04	4.3 MEDIUM	6.1 MEDIUM
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).
CVE-2019-13967	1 Combodo	1 Itop	2024-02-04	5.0 MEDIUM	7.5 HIGH
iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation. The requests use the pages/exec.php?exec_env=production&exec_module=itop-hub-connector&exec_page=ajax.php&operation=compile URI. This only affects the community version.
CVE-2019-13965	1 Combodo	1 Itop	2024-02-04	4.3 MEDIUM	6.1 MEDIUM
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability.
CVE-2015-6544	1 Combodo	1 Itop	2024-02-04	4.3 MEDIUM	6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title.
CVE-2018-10642	1 Combodo	1 Itop	2024-02-04	6.5 MEDIUM	7.2 HIGH
Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval().