CVE-2019-13966

In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
combodoitop
𝑥
≤ 2.6.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://0day.love/itop_vulnerabilities_disclosure.pdf
https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log
https://0day.love/itop_vulnerabilities_disclosure.pdf
https://www.itophub.io/wiki/page?id=latest%3Arelease%3Achange_log