V4Yne1

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 2.7.9 Combodo iTop versions prior to 3.0.4 Combodo iTop versions prior to 3.1.0 **Description** Combodo iTop is a simple, web-based IT Service Management tool. When displaying pages, specifically the "ajax.searchform.php" page, Cross-Site Scripting (XSS) attacks are possible for scripts outside of script tags. **Recommendations** For versions prior to 2.7.9, upgrade to version 2.7.9 or later. For versions prior to 3.0.4, upgrade to version 3.0.4 or later. For versions prior to 3.1.0, upgrade to version 3.1.0 or later. As a temporary workaround, consider restricting access to the vulnerable "ajax.searchform.php" page until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 2.7.9 Combodo iTop versions prior to 3.0.4 Combodo iTop versions prior to 3.1.0 **Description** Combodo iTop is a simple, web-based IT Service Management tool. When displaying pages/ajax.render.php, XSS are possible for scripts outside of script tags. This issue could be exploited to compromise system integrity. All users are advised to upgrade, as there are no known workarounds for this vulnerability. **Recommendations** For versions prior to 2.7.9, upgrade to version 2.7.9 or later. For versions prior to 3.0.4, upgrade to version 3.0.4 or later. For versions prior to 3.1.0, upgrade to version 3.1.0 or later. As a temporary workaround, consider restricting access to the vulnerable `pages/ajax.render.php` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** iTop versions prior to 2.7.10 iTop versions prior to 3.0.4 iTop versions prior to 3.1.1 **Description** iTop is an IT service management platform. The Dashlet edits "ajax endpoints" can be used to produce XSS. **Recommendations** For versions prior to 2.7.10, update to version 2.7.10 or later. For versions prior to 3.0.4, update to version 3.0.4 or later. For versions prior to 3.1.1, update to version 3.1.1 or later. As a temporary workaround, consider restricting access to the Dashlet edits ajax endpoints until a patch is available.

**Name of the Vulnerable Software and Affected Versions** iTop versions prior to 3.0.4 and 3.1.0 **Description** The issue concerns cross site scripting when displaying the `pages/preferences.php` page in iTop, an open source, web-based IT service management platform. **Recommendations** For versions prior to 3.0.4, update to version 3.0.4 or later. For versions prior to 3.1.0, update to version 3.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** iTop versions prior to 3.0.4 and 3.1.0 **Description** iTop is an open source, web-based IT service management platform. Cross site scripting is possible on `pages/UI.php` in versions prior to 3.0.4 and 3.1.0. **Recommendations** For versions prior to 3.0.4, update to version 3.0.4 or later. For versions prior to 3.1.0, update to version 3.1.0 or later. As a temporary workaround, consider restricting access to the `pages/UI.php` page until a patch is applied.