CVE-2023-45808
4.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Summary
iTop is an IT service management platform. When creating or updating an object, extkey values aren't checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Combodo | iTop | < 2.7.10 | affected |
| Combodo | iTop | >= 3.0.0, < 3.0.4 | affected |
| Combodo | iTop | >= 3.1.0, < 3.1.1 | affected |
Weaknesses
- CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh
- https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7
- https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385
References
- https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh
- https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7
- https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.