CVE-2021-41245 Information

Description

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0 CSRF tokens generated by privUITransactionFile aren’t properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround use the session implementation by adding in the iTop config file.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Reference

https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186 https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.1