CVE-2019-19821

EUVD-2019-9419
A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses. This is fixed in all iTop packages (community, essential, professional) in versions : 2.5.4, 2.6.3, 2.7.0
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
Affected Products (NVD)
VendorProductVersion
combodoitop
𝑥
< 2.7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796
https://www.combodo.com/itop-193
https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combodo_itop/
https://github.com/Combodo/iTop/security/advisories/GHSA-2gfp-2qvh-9796
https://www.combodo.com/itop-193
https://www.pentagrid.ch/de/blog/security_issues_in_teampasswordmanager_and_combodo_itop/