CVE-2019-19821

Published: Mar 16, 2020Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0

Affected (1)

Products: Combodo: Itop

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Combodo Itop	Before 2.7

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796

Source: cve@mitre.org

https://www.combodo.com/itop-193

Source: cve@mitre.org

ProductVendor Advisory

https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combodo_itop/

Source: cve@mitre.org

Third Party Advisory

https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.combodo.com/itop-193

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combodo_itop/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.