Molkobain

4 exploits Active since Apr 2022
CVE-2022-24811 WRITEUP MEDIUM WRITEUP
Combodo iTop < 2.7.6 - Cross-Site Scripting in HTML Attachment Display
Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.
CVSS 5.4
CVE-2022-24870 WRITEUP HIGH WRITEUP
Combodo iTop 3.0.0 beta - Authenticated Stored Cross-Site Scripting via Tooltip Customization
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS 8.7
CVE-2023-47123 WRITEUP HIGH WRITEUP
iTop 3.1.0 - Stored Cross-Site Scripting via Object Friendlyname/Complementary Name
iTop is an IT service management platform. By filling malicious code in an object friendlyname / complementary name, an XSS attack can be performed when this object will displayed as an n:n relation item in another object. This vulnerability is fixed in 3.1.1 and 3.2.0.
CVSS 8.7
CVE-2023-48710 WRITEUP CRITICAL WRITEUP
iTop < 2.7.10 - Unauthenticated Arbitrary File Read via env-production Folder
iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won't be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0.
CVSS 9.8