Markus Krell

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 2.7.6 and 3.0.0 **Description** The issue is related to incorrect code generation management in the iTop web-based IT Service Management tool. It allows users of the iTop user portal to send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. **Recommendations** For versions prior to 2.7.6, update to version 2.7.6 or later. For versions prior to 3.0.0, update to version 3.0.0 or later. As a temporary workaround, consider restricting access to the iTop user portal until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Xymon versions 4.1.x through 4.3.x before 4.3.25 **Description** The issue is caused by multiple buffer overflows in the xymond/xymond.c file, allowing remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a long filename, involving handling a "config" command. **Recommendations** For versions 4.1.x through 4.3.x before 4.3.25, update to version 4.3.25 or later to resolve the issue. As a temporary workaround, consider restricting access to the `config` command in the xymond/xymond.c file until a patch is available.