CVE-2023-48710

CRITICAL

iTop <3.2.0 - Info Disclosure

Title source: llm

Description

iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won't be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

References (2)

[Vendor Advisory] https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc

[Patch] https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0043

EPSS Percentile 62.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-552

Status published

Products (1)

combodo/itop < 2.7.10

Published Apr 15, 2024

Tracked Since Feb 18, 2026