CVE-2019-13965: XSS
First published: Fri Feb 14 2020(Updated: )
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed to remote command execution because of CVE-2018-10642 (still working through 2.6.0) The Reflective XSS can also become a stored XSS within the same account because of another vulnerability.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Combodo iTop | <=2.6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-13965?
CVE-2019-13965 is a vulnerability in iTop that allows for multiple Reflective XSS issues due to a lack of sanitization around error messages.
What is the severity of CVE-2019-13965?
CVE-2019-13965 has a severity rating of 6.1, which is classified as medium severity.
How does CVE-2019-13965 affect iTop?
CVE-2019-13965 affects iTop versions up to and including 2.6.0.
How can the Reflective XSS issues in iTop be exploited?
The Reflective XSS issues in iTop can be exploited by sending malicious input through the param_file parameter to specific PHP files.
Are there any available patches or fixes for CVE-2019-13965?
At the moment, there is no information available on official patches or fixes for CVE-2019-13965. It is recommended to follow the official iTop documentation and stay updated with any security announcements.
- collector/nvd-index
- agent/weakness
- agent/author
- agent/type
- vendor/combodo
- canonical/combodo itop
- version/combodo itop/2.6.0