CVE-2025-24021

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:combodo:itop::::::::
	cpe:2.3:a:combodo:itop::::::::
	cpe:2.3:a:combodo:itop::::::::

History

01 Aug 2025, 18:39

Type	Values Removed	Values Added
References	~~() https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj -~~	() https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj - Vendor Advisory
First Time		Combodo Combodo itop
CPE		cpe:2.3:a:combodo:itop::::::::

16 May 2025, 14:43

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-14 15:15

Updated : 2025-08-01 18:39

NVD link : CVE-2025-24021

Mitre link : CVE-2025-24021

CVE.ORG link : CVE-2025-24021

JSON object : View

Products Affected

combodo

itop

CWE

CWE-862

Missing Authorization

{"id": "CVE-2025-24021", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.1}]}, "published": "2025-05-14T15:15:56.157", "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."}, {"lang": "es", "value": "iTop es una herramienta web de gesti\u00f3n de servicios de TI. En versiones anteriores a las 2.7.12, 3.1.3 y 3.2.1, cualquier persona con una cuenta y acceso al portal pod\u00eda asignar valores a campos de objeto cuando no deb\u00eda. Las versiones 2.7.12, 3.1.3 y 3.2.1 incluyen una soluci\u00f3n para este problema."}], "lastModified": "2025-08-01T18:39:30.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC277226-1ABB-4593-B14C-4910541DA298", "versionEndExcluding": "2.7.12"}, {"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C365D2D-CA46-4DA0-8739-7950631132E0", "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BE41CA6-35B8-41BA-B116-B63136CA48C9", "versionEndExcluding": "3.2.1", "versionStartIncluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}