CVE-2024-51993

EUVD-2024-45559

07.11.2024, 18:15

Combodo iTop is a web based IT Service Management tool. An attacker accessing a backup file or the database can read some passwords for misconfigured Users. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. Users unable to upgrade are advised to encrypt their backups independently of the iTop application.

### Patches
Sanitize parameter

### References
N°7631 - Password is stored in clear in the database.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.4 LOW	LOCAL	LOW	HIGH	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
GitHub_M	CNA	3.4 LOW	LOCAL	LOW	HIGH	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CISA-ADP	ADP	3.4 LOW	LOCAL	LOW	HIGH	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
combodo	itop	𝑥 < 3.2.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-312 - Cleartext Storage of Sensitive Information
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

References

https://github.com/Combodo/iTop/security/advisories/GHSA-9mq5-349x-x427