Vulnerability Description
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Combodo | Itop | < 3.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22PatchThird Party Advisory
- https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fcThird Party Advisory
- https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22PatchThird Party Advisory
- https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fcThird Party Advisory
FAQ
What is CVE-2021-41161?
CVE-2021-41161 is a vulnerability with a CVSS score of 9.3 (CRITICAL). Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into ...
How severe is CVE-2021-41161?
CVE-2021-41161 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-41161?
Check the references section above for vendor advisories and patch information. Affected products include: Combodo Itop.