CVE-2022-24780

HIGH

Combodo iTop < 2.7.6 - Remote Code Execution via TWIG Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-24780. PoCs published by Acceis.

AI-analyzed exploit summary This repository contains a Ruby-based exploit for CVE-2022-24780, an authenticated remote command execution vulnerability in iTop versions < 2.7.6. The exploit leverages Server-Side Template Injection (SSTI) in the user profile page, with two modes: 'full' (preserves user data via Selenium-driven browser emulation) and 'light' (destructive, faster, no JavaScript execution).

Description

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.

Exploits (1)

nomisec WORKING POC 6 stars

by Acceis · poc

https://github.com/Acceis/exploit-CVE-2022-24780

View Code ZIP pw:eip

This repository contains a Ruby-based exploit for CVE-2022-24780, an authenticated remote command execution vulnerability in iTop versions < 2.7.6. The exploit leverages Server-Side Template Injection (SSTI) in the user profile page, with two modes: 'full' (preserves user data via Selenium-driven browser emulation) and 'light' (destructive, faster, no JavaScript execution).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: iTop < 2.7.6

Auth required

Prerequisites: Valid iTop credentials · Access to the user profile page · Ruby and dependencies (Watir, Selenium, Nokogiri, etc.)

MITRE ATT&CK