CVE-2024-52601

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they're not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Combodo/iTop/security/advisories/GHSA-cph2-466c-3f87	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:combodo:itop::::::::
	cpe:2.3:a:combodo:itop::::::::
	cpe:2.3:a:combodo:itop::::::::

History

01 Aug 2025, 18:39

Type	Values Removed	Values Added
References	~~() https://github.com/Combodo/iTop/security/advisories/GHSA-cph2-466c-3f87 -~~	() https://github.com/Combodo/iTop/security/advisories/GHSA-cph2-466c-3f87 - Vendor Advisory
First Time		Combodo Combodo itop
CPE		cpe:2.3:a:combodo:itop::::::::

16 May 2025, 14:43

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-14 15:15

Updated : 2025-08-01 18:39

NVD link : CVE-2024-52601

Mitre link : CVE-2024-52601

CVE.ORG link : CVE-2024-52601

JSON object : View

Products Affected

combodo

itop

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2024-52601", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-05-14T15:15:55.200", "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-cph2-466c-3f87", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they're not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."}, {"lang": "es", "value": "iTop es una herramienta web de gesti\u00f3n de servicios de TI. En versiones anteriores a las 2.7.12, 3.1.3 y 3.2.1, cualquier persona con una cuenta con acceso al portal pod\u00eda tener acceso de lectura a objetos que no ten\u00eda permitido ver consultando una ruta sin protecci\u00f3n. Las versiones 2.7.12, 3.1.3 y 3.2.1 incluyen una soluci\u00f3n para este problema."}], "lastModified": "2025-08-01T18:39:53.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC277226-1ABB-4593-B14C-4910541DA298", "versionEndExcluding": "2.7.12"}, {"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C365D2D-CA46-4DA0-8739-7950631132E0", "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BE41CA6-35B8-41BA-B116-B63136CA48C9", "versionEndExcluding": "3.2.1", "versionStartIncluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}