{"api_version":"1","generated_at":"2026-04-23T05:58:18+00:00","cve":"CVE-2021-41161","urls":{"html":"https://cve.report/CVE-2021-41161","api":"https://cve.report/api/cve/CVE-2021-41161.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-41161","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-41161"},"summary":{"title":"CVE-2021-41161","description":"Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-04-21 17:15:00","updated_at":"2022-05-04 19:10:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc","name":"https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc","refsource":"CONFIRM","tags":[],"title":"XSS in csvimport in 3.0.0-beta versions · Advisory · Combodo/iTop · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22","name":"https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22","refsource":"MISC","tags":[],"title":"N°4361 - XSS in csvimport on develop · Combodo/iTop@c8f3d23 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-41161","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41161","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"41161","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"combodo","cpe5":"itop","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41161","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"combodo","cpe5":"itop","cpe6":"3.0.0","cpe7":"beta","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41161","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"combodo","cpe5":"itop","cpe6":"3.0.0","cpe7":"beta2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41161","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"combodo","cpe5":"itop","cpe6":"3.0.0","cpe7":"beta3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41161","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"combodo","cpe5":"itop","cpe6":"3.0.0","cpe7":"beta4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41161","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"combodo","cpe5":"itop","cpe6":"3.0.0","cpe7":"beta5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-41161","STATE":"PUBLIC","TITLE":"XSS in csvimport in 3.0.0-beta versions"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"iTop","version":{"version_data":[{"version_value":"< 3.0.0-beta6"}]}}]},"vendor_name":"Combodo"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.3,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]},"references":{"reference_data":[{"name":"https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc","refsource":"CONFIRM","url":"https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc"},{"name":"https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22","refsource":"MISC","url":"https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22"}]},"source":{"advisory":"GHSA-788f-g6g9-f8fc","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-04-21 17:15:00","lastModifiedDate":"2022-05-04 19:10:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:combodo:itop:3.0.0:beta:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:combodo:itop:3.0.0:beta2:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:combodo:itop:3.0.0:beta3:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:combodo:itop:3.0.0:beta4:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:combodo:itop:3.0.0:beta5:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*","versionEndExcluding":"3.0.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"41161","Ordinal":"216978","Title":"CVE-2021-41161","CVE":"CVE-2021-41161","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"41161","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}