{"api_version":"1","generated_at":"2026-04-23T05:59:06+00:00","cve":"CVE-2021-32663","urls":{"html":"https://cve.report/CVE-2021-32663","api":"https://cve.report/api/cve/CVE-2021-32663.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-32663","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-32663"},"summary":{"title":"CVE-2021-32663","description":"iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-10-19 18:15:00","updated_at":"2021-10-22 20:49:00"},"problem_types":["CWE-918"],"metrics":[],"references":[{"url":"https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807","name":"https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807","refsource":"MISC","tags":[],"title":"N°3952 - code hardening · Combodo/iTop@43daa2e · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9","name":"https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9","refsource":"CONFIRM","tags":[],"title":"Unauthorized SSRF and reflected XSS -The attacker has the ability to make requests on behalf of the server · Advisory · Combodo/iTop · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec","name":"https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec","refsource":"MISC","tags":[],"title":"N°3952 - code hardening (merged from support/2.6) · Combodo/iTop@6be9a87 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-32663","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32663","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"32663","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"combodo","cpe5":"itop","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-32663","STATE":"PUBLIC","TITLE":"Unauthorized setup leads to SSRF in Combodo/iTop"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"iTop","version":{"version_data":[{"version_value":"< 2.6.5"},{"version_value":">= 2.7.0, < 2.7.5"}]}}]},"vendor_name":"Combodo"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later"}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-918: Server-Side Request Forgery (SSRF)"}]}]},"references":{"reference_data":[{"name":"https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9","refsource":"CONFIRM","url":"https://github.com/Combodo/iTop/security/advisories/GHSA-ghqc-r8f6-q9m9"},{"name":"https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807","refsource":"MISC","url":"https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2386fa19324628c3f19b807"},{"name":"https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec","refsource":"MISC","url":"https://github.com/Combodo/iTop/commit/6be9a87c150978752bc68baae1a5c4833ddadfec"}]},"source":{"advisory":"GHSA-ghqc-r8f6-q9m9","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-10-19 18:15:00","lastModifiedDate":"2021-10-22 20:49:00","problem_types":["CWE-918"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:combodo:itop:*:*:*:*:-:*:*:*","versionStartIncluding":"2.7.0","versionEndExcluding":"2.7.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:combodo:itop:*:*:*:*:-:*:*:*","versionEndExcluding":"2.6.5","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"32663","Ordinal":"208051","Title":"CVE-2021-32663","CVE":"CVE-2021-32663","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"32663","Ordinal":"1","NoteData":"iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later","Type":"Description","Title":null},{"CveYear":"2021","CveId":"32663","Ordinal":"2","NoteData":"2021-10-19","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"32663","Ordinal":"3","NoteData":"2021-10-19","Type":"Other","Title":"Modified"}]}}}