汇总 Combodo 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
历史漏洞主要涉及 跨站脚本与CSRF 等问题,部分漏洞可能导致 会话劫持,并影响 软件部署与生产负载 相关场景。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-64167 | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead. | [email protected] | 7.1 | 0.03% | 2025-11-10 | 2025-11-21 |
| CVE-2025-49145 | Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature. | [email protected] | 8.7 | 0.05% | 2025-11-10 | 2025-11-21 |
| CVE-2025-48878 | Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue. | [email protected] | 4.3 | 0.03% | 2025-11-10 | 2025-11-21 |
| CVE-2025-48065 | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content. | [email protected] | 8.8 | 0.02% | 2025-11-10 | 2025-11-21 |
| CVE-2025-48055 | Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user portal, a cross-site scripting attack can occur. This is fixed in versions 3.2.2 and 3.3.0. | [email protected] | 8.5 | 0.02% | 2025-11-10 | 2025-11-21 |
| CVE-2025-47932 | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack. | [email protected] | 8.8 | 0.02% | 2025-11-10 | 2025-11-21 |
| CVE-2025-47773 | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is edited via an AJAX call. Versions 2.7.13 and 3.2.2 protect rendered HTML content. | [email protected] | 8.8 | 0.02% | 2025-11-10 | 2025-11-21 |
| CVE-2025-47286 | Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it. | [email protected] | 8.6 | 0.07% | 2025-11-10 | 2025-11-21 |
| CVE-2025-24969 | iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue. | [email protected] | 5.0 | 0.17% | 2025-05-14 | 2025-08-05 |
| CVE-2025-24785 | iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The next user trying to load this dashboard would encounter a crashed start page. Version 3.2.1 fixes the issue by checking the provided layout_class before saving the dashboard. | [email protected] | 4.3 | 0.25% | 2025-05-14 | 2025-08-01 |
| CVE-2025-24026 | iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS) that may, under some circumstances, affect iTop server. Version 3.2.1 doesn't use the affected variable in the regular expression. As a workaround, if iTop app_root_url is defined in the configuration file, then there is no possible way to exploit this ReDoS. | [email protected] | 5.3 | 0.23% | 2025-05-14 | 2025-08-01 |
| CVE-2025-24022 | iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1. | [email protected] | 8.5 | 0.71% | 2025-05-14 | 2026-01-16 |
| CVE-2025-24021 | iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue. | [email protected] | 5.0 | 0.18% | 2025-05-14 | 2025-08-22 |
| CVE-2024-56157 | iTop is an web based IT Service Management tool. Prior to versions 3.1.3 and 3.2.1, by filling malicious code in a CSV content, a cross-site scripting attack can be performed when importing this content. The issue is fixed in versions 3.1.3 and 3.2.1. As a workaround, check CSV content before importing it. | [email protected] | 6.3 | 0.17% | 2025-05-14 | 2025-08-01 |
| CVE-2024-52601 | iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they're not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue. | [email protected] | 6.5 | 0.20% | 2025-05-14 | 2025-08-01 |
| CVE-2025-27139 | Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 are vulnerable to cross-site scripting when the preferences page is opened. Versions 2.7.12, 3.1.2, and 3.2.0 fix the issue. | [email protected] | 6.8 | 1.00% | 2025-02-25 | 2025-02-28 |
| CVE-2024-54139 | Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a cross-site scripting vulnerability that can lead to cross-site request forgery on the `_table_id` parameter. Versions 2.7.11, 3.1.2, and 3.2.0 contain a patch for the issue. | [email protected] | 7.9 | 0.45% | 2024-12-13 | 2025-03-11 |
| CVE-2024-52002 | Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. Please refer to the linked GHSA for the complete list. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | [email protected] | 8.8 | 6.99% | 2024-11-08 | 2025-01-07 |
| CVE-2024-52001 | Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users are able to access forbidden services information. This issue has been addressed in version 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | [email protected] | 4.3 | 0.49% | 2024-11-08 | 2025-01-07 |
| CVE-2024-52000 | Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability. | [email protected] | 6.1 | 1.00% | 2024-11-08 | 2025-01-07 |