CVE-2021-41161
9.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Summary
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Combodo | iTop | < 3.0.0-beta6 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc
- https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc
- https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.