Reflected Cross-Site Scripting (XSS) in iTop
|Vulnerable Versions:||2.1.0-2127 and probably prior|
|Advisory Publication:||July 29, 2015 [without technical details]|
|Vendor Notification:||July 29, 2015|
|Vendor Fix:||July 30, 2015|
|Public Disclosure:||September 23, 2015|
|Latest Update:||September 23, 2015|
|Vulnerability Type:||Cross-Site Scripting [CWE-79]|
|CVSSv3 Base Score:||6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered vulnerability in iTop, which can be exploited to perform Cross-Site Scripting (XSS) attacks against web application users. iTop is a critical application, which is used to cover the entire set of ITIL processes. Successful attack on this web application may result in critical information exposure, data loss, and even unauthorized access to network infrastructure.
|Update to iTop 2.2.0-2459|
| High-Tech Bridge Advisory HTB23268 - https://www.immuniweb.com/advisory/HTB23268 - Reflected Cross-Site Scripting (XSS) in iTop.|
 iTop - http://www.combodo.com - iTop is an Open Source web application for the day to day operations of an IT environment.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
 ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.