CVE-2018-10642

Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval().
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
combodoitop
𝑥
≤ 2.4.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt
https://sourceforge.net/p/itop/tickets/1585/
https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt
https://sourceforge.net/p/itop/tickets/1585/