CVE-2023-34443
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
05/11/2024
Last modified:
06/11/2024
Description
Combodo iTop is a simple, web based IT Service Management tool. When displaying page Run queries Cross-site Scripting (XSS) are possible for scripts outside of script tags. This has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:* | 2.7.9 (excluding) | |
| cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:* | 3.0.0 (including) | 3.0.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/Combodo/iTop/security/advisories/GHSA-9mx6-pwpp-j3xx
- https://huntr.dev/bounties/c230d55d-1f0e-40c3-8c7e-20587d3e54da/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b