CVE-2022-24780: Code Injection in Combodo iTop
First published: Tue Apr 05 2022(Updated: )
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Combodo iTop | <2.7.6 | |
| Combodo iTop | =3.0.0-alpha | |
| Combodo iTop | =3.0.0-beta | |
| Combodo iTop | =3.0.0-beta1 | |
| Combodo iTop | =3.0.0-beta2 | |
| Combodo iTop | =3.0.0-beta3 | |
| Combodo iTop | =3.0.0-beta4 | |
| Combodo iTop | =3.0.0-beta5 | |
| Combodo iTop | =3.0.0-beta6 | |
| Combodo iTop | =3.0.0-beta7 | |
| Combodo iTop | =3.0.0-beta8 | |
| Combodo iTop | =3.0.0-rc |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html
- https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3
- https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b
- https://github.com/Combodo/iTop/commit/eb2a615bd28100442c7f6171707bb40884af2305
- https://github.com/Combodo/iTop/security/advisories/GHSA-v97m-wgxq-rh54
- https://markus-krell.de/itop-template-injection-inside-customer-portal/
Frequently Asked Questions
What is CVE-2022-24780?
CVE-2022-24780 is a vulnerability in Combodo iTop versions prior to 2.7.6 and 3.0.0 that allows users of the iTop user portal to execute arbitrary code on the server using HTTP server user privileges.
What is the severity of CVE-2022-24780?
CVE-2022-24780 has a severity of 8.8 (high).
How does CVE-2022-24780 affect Combodo iTop?
CVE-2022-24780 affects Combodo iTop versions prior to 2.7.6 and 3.0.0.
How can I fix CVE-2022-24780?
To fix CVE-2022-24780, users should update to version 2.7.6 or 3.0.0 of Combodo iTop.
Where can I find more information about CVE-2022-24780?
More information about CVE-2022-24780 can be found at the following references: [link1](http://packetstormsecurity.com/files/167236/iTop-Remote-Command-Execution.html) and [link2](https://github.com/Combodo/iTop/commit/93f273a28778e5da8e51096f021d2dc1adbf4ef3) and [link3](https://github.com/Combodo/iTop/commit/b6fac4b411b8d145fc30fa35c66b51243eafd06b).
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/title
- agent/severity
- agent/author
- agent/weakness
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/combodo
- canonical/combodo itop
- version/combodo itop/3.0.0-alpha
- version/combodo itop/3.0.0-beta
- version/combodo itop/3.0.0-beta1
- version/combodo itop/3.0.0-beta2
- version/combodo itop/3.0.0-beta3
- version/combodo itop/3.0.0-beta4
- version/combodo itop/3.0.0-beta5
- version/combodo itop/3.0.0-beta6
- version/combodo itop/3.0.0-beta7
- version/combodo itop/3.0.0-beta8
- version/combodo itop/3.0.0-rc