CRITICAL🇵🇱 Wersja polska

CVE-2023-48710

CVSS 9.8v3.1pub. 2024-04-15upd. 2025-02-06

iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won't be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

🤖 AI Analysis
How it works

The `pages/exec.php` script did not properly restrict the types of files that could be downloaded and returned to the user. As a result, an attacker without any authentication could use a simple network request to download any file from the `env-production` folder. The patch limits the script's operation exclusively to executing PHP files, blocking the download of other file types.

Impact

An attacker can gain unauthorized access to potentially sensitive configuration files or data left by third-party modules, which may lead to disclosure of confidential information and, as a consequence, to complete system takeover.

Mitigation & patch

iTop should be updated to version 2.7.10, 3.0.4, 3.1.1 or 3.2.0, in which the vulnerability has been fixed. Details are available in the vendor references and in the security advisory on GitHub.

Who is affected

Combodo iTop in all versions before 2.7.10, 3.0.4, 3.1.1 and 3.2.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Combodo Itop

    APP
    Combodo
    < 2.7.103.0.0 – 3.0.4 (bez)3.1.0 – 3.1.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2022-39214CRITICAL9.6ten sam produkt

Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1,...

CVE-2021-41162CRITICAL9.3ten sam produkt

Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render...

CVE-2021-41161CRITICAL9.3ten sam produkt

Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page d...

CVE-2025-47286HIGH8.6ten sam produkt

Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrato...

CVE-2025-47773HIGH8.8ten sam produkt

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to c...