Stephen Abello

8 exploits Active since Mar 2023
CVE-2022-39216 WRITEUP HIGH WRITEUP
Combodo iTop <2.7.8 & <3.0.2-1 - Info Disclosure
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1.
CVSS 7.4
CVE-2023-38511 WRITEUP MEDIUM WRITEUP
iTop 3.0.0-3.0.3 - Path Traversal and Information Disclosure via Dashboard Editor
iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.
CVSS 5.0
CVE-2023-48709 WRITEUP HIGH WRITEUP
iTop - CSV Formula Injection in Data Export
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0.
CVSS 8.0
CVE-2022-39216 WRITEUP HIGH WRITEUP
Combodo iTop <2.7.8 & <3.0.2-1 - Info Disclosure
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1.
CVSS 7.4
CVE-2023-38511 WRITEUP MEDIUM WRITEUP
iTop 3.0.0-3.0.3 - Path Traversal and Information Disclosure via Dashboard Editor
iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.
CVSS 5.0
CVE-2023-43790 WRITEUP MEDIUM WRITEUP
iTop 3.1.0 - Cross-Site Scripting via Object Friendlyname Field
iTop is an IT service management platform. By manipulating HTTP queries, a user can inject malicious content in the fields used for the object friendlyname value. This vulnerability is fixed in 3.1.1 and 3.2.0.
CVSS 5.7
CVE-2023-47622 WRITEUP HIGH WRITEUP
iTop < 3.0.4 - Stored Cross-Site Scripting via Dashlet Refresh
iTop is an IT service management platform. When dashlet are refreshed, XSS attacks are possible. This vulnerability is fixed in 3.0.4 and 3.1.1.
CVSS 8.8
CVE-2023-48709 WRITEUP HIGH WRITEUP
iTop - CSV Formula Injection in Data Export
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0.
CVSS 8.0