Vulnerability Description
A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Combodo | Itop | < 2.7 |
Related Weaknesses (CWE)
References
- https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796
- https://www.combodo.com/itop-193ProductVendor Advisory
- https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combThird Party Advisory
- https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796
- https://www.combodo.com/itop-193ProductVendor Advisory
- https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combThird Party Advisory
FAQ
What is CVE-2019-19821?
CVE-2019-19821 is a vulnerability with a CVSS score of 8.1 (HIGH). A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not ...
How severe is CVE-2019-19821?
CVE-2019-19821 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-19821?
Check the references section above for vendor advisories and patch information. Affected products include: Combodo Itop.