Bengrenoble

Name of the Vulnerable Software and Affected Versions: iTop versions prior to 3.2.1 Description: The issue is related to a regular expression denial of service (ReDoS) that may affect the iTop server under certain circumstances. The problem arises from the use of an affected variable in a regular expression. However, if the `app root url` is defined in the configuration file, exploitation of this issue is not possible. Recommendations: For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, ensure that `app root url` is defined in the configuration file to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 3.2.0 **Description** The issue is a reflected Cross-site Scripting (XSS) exploit that occurs when editing a request's payload, leading to malicious javascript execution. This has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. **Recommendations** For versions prior to 3.2.0, upgrade to version 3.2.0 to patch the vulnerability. As a temporary workaround, consider restricting access to the editing functionality of requests until the upgrade is applied. There are no known workarounds for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 3.2.0 **Description** The issue allows portal users to access forbidden services information. This is a problem with the Combodo iTop tool, which is used for IT Service Management. There are no known workarounds for this issue. **Recommendations** For versions prior to 3.2.0, upgrade to version 3.2.0 to resolve the issue. As a temporary workaround, consider restricting access to sensitive service information until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 3.2.0 **Description** Combodo iTop is a simple, web-based IT Service Management tool. Several URL endpoints are subject to a Cross-Site Request Forgery (CSRF) vulnerability. This issue has been addressed in version 3.2.0. **Recommendations** For versions prior to 3.2.0, upgrade to version 3.2.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable URL endpoints until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 3.2.0 **Description** The issue allows an attacker accessing a backup file or the database to read some passwords for misconfigured users. This is due to the storage of sensitive data in cleartext. The impact of this issue is the exposure of confidential information. **Recommendations** For versions prior to 3.2.0, upgrade to version 3.2.0 to address the issue. If an upgrade is not possible, users are advised to encrypt their backups independently of the iTop application. As a temporary workaround, consider sanitizing the parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 3.2.0 **Description** The issue is related to a Cross-site Scripting (XSS) vulnerability that can be triggered by uploading a text file containing JavaScript to the portal. This is a web-based IT Service Management tool. **Recommendations** For versions prior to 3.2.0, upgrade to version 3.2.0 to address the issue. As a temporary workaround, consider restricting the upload of text files to the portal until the upgrade is applied. Avoid using the portal's file upload feature with untrusted input until the issue is resolved.