CVE-2023-45808

Published: Apr 15, 2024Modified: Feb 6, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

iTop is an IT service management platform. When creating or updating an object, extkey values aren't checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

Affected (3)

Products: Combodo: Itop

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Combodo Itop	Before 2.7.10
Combodo Itop	From 3.0.0 to 3.0.4
Combodo Itop	From 3.1.0 to 3.1.1

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (6)

https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7

Source: security-advisories@github.com

Patch

https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385

Source: security-advisories@github.com

Patch

https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh

Source: security-advisories@github.com

Vendor Advisory

https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.