CVE-2023-48710

Published: Apr 15, 2024Modified: Feb 6, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won't be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

Affected (3)

Products: Combodo: Itop

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Combodo Itop	Before 2.7.10
Combodo Itop	From 3.0.0 to 3.0.4
Combodo Itop	From 3.1.0 to 3.1.1

Related CWEs

Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References (4)

https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26

Source: security-advisories@github.com

Patch

https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc

Source: security-advisories@github.com

Vendor Advisory

https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.