CVE-2022-24780
Summary
| CVE | CVE-2022-24780 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-04-05 19:15:00 UTC |
| Updated | 2022-10-07 03:33:00 UTC |
| Description | Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds. |
Risk And Classification
Problem Types: CWE-94
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Combodo | Itop | All | All | All | All |
| Application | Combodo | Itop | 3.0.0 | alpha | All | All |
| Application | Combodo | Itop | 3.0.0 | beta | All | All |
| Application | Combodo | Itop | 3.0.0 | beta1 | All | All |
| Application | Combodo | Itop | 3.0.0 | beta2 | All | All |
| Application | Combodo | Itop | 3.0.0 | beta3 | All | All |
| Application | Combodo | Itop | 3.0.0 | beta4 | All | All |
| Application | Combodo | Itop | 3.0.0 | beta5 | All | All |
| Application | Combodo | Itop | 3.0.0 | beta6 | All | All |
| Application | Combodo | Itop | 3.0.0 | beta7 | All | All |
| Application | Combodo | Itop | 3.0.0 | beta8 | All | All |
| Application | Combodo | Itop | 3.0.0 | rc | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| iTop – Template Injection inside customer Portal – Personal Page of Markus Krell | MISC | markus-krell.de | |
| N°4384 Security hardening · Combodo/iTop@b6fac4b · GitHub | MISC | github.com | |
| iTop Remote Command Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Portal code injection using the formmanager_data field · Advisory · Combodo/iTop · GitHub | CONFIRM | github.com | |
| N°4384 Security hardening · Combodo/iTop@eb2a615 · GitHub | MISC | github.com | |
| N°4384 Fix PHP warning when decoding formmanager_data when it is alre… · Combodo/iTop@93f273a · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.