CVE-2023-43790

iTop is an IT service management platform. By manipulating HTTP queries, a user can inject malicious content in the fields used for the object friendlyname value. This vulnerability is fixed in 3.1.1 and 3.2.0.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732	Patch
https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97	Vendor Advisory
https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732	Patch
https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*

History

06 Feb 2025, 20:56

Type	Values Removed	Values Added
First Time		Combodo itop Combodo
CPE		cpe:2.3:a:combodo:itop::::::::
References	~~() https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732 -~~	() https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732 - Patch
References	~~() https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97 -~~	() https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97 - Vendor Advisory

Information

Published : 2024-04-15 17:15

Updated : 2025-02-06 20:56

NVD link : CVE-2023-43790

Mitre link : CVE-2023-43790

CVE.ORG link : CVE-2023-43790

JSON object : View

Products Affected

combodo

itop

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

{"id": "CVE-2023-43790", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-04-15T17:15:07.103", "references": [{"url": "https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Combodo/iTop/commit/03c9ffc0334fd44f3f0e82477264087064e1c732", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-96xm-p83r-hm97", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "iTop is an IT service management platform. By manipulating HTTP queries, a user can inject malicious content in the fields used for the object friendlyname value. This vulnerability is fixed in 3.1.1 and 3.2.0.\n"}, {"lang": "es", "value": "iTop es una plataforma de gesti\u00f3n de servicios de TI. Al manipular las consultas HTTP, un usuario puede inyectar contenido malicioso en los campos utilizados para el valor del nombre descriptivo del objeto. Esta vulnerabilidad se solucion\u00f3 en 3.1.1 y 3.2.0."}], "lastModified": "2025-02-06T20:56:06.907", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E46BEA8B-6ECB-44B7-9509-99E2CBB569EC", "versionEndExcluding": "3.1.1", "versionStartIncluding": "3.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}