Vulnerability Description
iTop is an IT service management platform. When creating or updating an object, extkey values aren't checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Combodo | Itop | < 2.7.10 |
Related Weaknesses (CWE)
References
- https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7Patch
- https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385Patch
- https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmhVendor Advisory
- https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7Patch
- https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385Patch
- https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmhVendor Advisory
FAQ
What is CVE-2023-45808?
CVE-2023-45808 is a vulnerability with a CVSS score of 4.1 (MEDIUM). iTop is an IT service management platform. When creating or updating an object, extkey values aren't checked to be in the current user silo. In other words, by forging an http request, the user can c...
How severe is CVE-2023-45808?
CVE-2023-45808 has been rated MEDIUM with a CVSS base score of 4.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-45808?
Check the references section above for vendor advisories and patch information. Affected products include: Combodo Itop.