What is CVE-2022-24870?

CVE-2022-24870 is a vulnerability in the Combodo iTop IT Service Management tool that allows for stored cross-site scripting attacks.

What is the severity of CVE-2022-24870?

The severity of CVE-2022-24870 is high, with a CVSS score of 5.4.

How does CVE-2022-24870 affect Combodo iTop?

CVE-2022-24870 affects Combodo iTop 3.0.0 beta releases prior to 3.0.0 beta3 by enabling a stored cross-site scripting attack through the customization mechanism.

How can I fix CVE-2022-24870?

To fix CVE-2022-24870, users are advised to upgrade to Combodo iTop 3.0.0 beta3 or a later version.

CWE-79 is a category of software weaknesses that covers cross-site scripting vulnerabilities.

Vulnerability/
CVE-2022-24870

high

8.7

CWE

21/4/2022

29/4/2022

CVE-2022-24870: XSS

First published: Thu Apr 21 2022(Updated: )

Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Combodo iTop	=3.0.0-beta
Combodo iTop	=3.0.0-beta2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-24870?
CVE-2022-24870 is a vulnerability in the Combodo iTop IT Service Management tool that allows for stored cross-site scripting attacks.
What is the severity of CVE-2022-24870?
The severity of CVE-2022-24870 is high, with a CVSS score of 5.4.
How does CVE-2022-24870 affect Combodo iTop?
CVE-2022-24870 affects Combodo iTop 3.0.0 beta releases prior to 3.0.0 beta3 by enabling a stored cross-site scripting attack through the customization mechanism.
How can I fix CVE-2022-24870?
To fix CVE-2022-24870, users are advised to upgrade to Combodo iTop 3.0.0 beta3 or a later version.
What is CWE-79?
CWE-79 is a category of software weaknesses that covers cross-site scripting vulnerabilities.

collector/nvd-index
agent/references
agent/severity
agent/weakness
agent/author
agent/event
agent/tags
agent/type
agent/description
agent/remedy
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
vendor/combodo
canonical/combodo itop
version/combodo itop/3.0.0-beta
version/combodo itop/3.0.0-beta2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.