CVE-2024-52002

HIGH

Combodo iTop < 3.2.0 - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-52002. PoCs published by Harshit-Mashru.

AI-analyzed exploit summary This repository contains a working proof-of-concept exploit for CVE-2024-52002, demonstrating a CSRF and XSS chaining attack to achieve admin privilege escalation in iTop software. The exploit involves uploading a malicious CSV file to trigger XSS and then using CSRF to create an admin account.

Description

Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploits (1)

nomisec WORKING POC
by Harshit-Mashru · poc
https://github.com/Harshit-Mashru/iTop-CVEs-exploit

This repository contains a working proof-of-concept exploit for CVE-2024-52002, demonstrating a CSRF and XSS chaining attack to achieve admin privilege escalation in iTop software. The exploit involves uploading a malicious CSV file to trigger XSS and then using CSRF to create an admin account.

Classification
Working Poc 90%
Attack Type
Xss | Csrf | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: iTop 3.1.1
Auth required
Prerequisites: Access to a vulnerable iTop instance · User interaction to upload a malicious CSV file · User interaction to click on a malicious link
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.0064
EPSS Percentile 45.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
combodo/itop < 3.2.0
Published Nov 08, 2024
Tracked Since Feb 18, 2026