Worty-Syn

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 2.7.11 Combodo iTop versions prior to 3.0.5 Combodo iTop versions prior to 3.1.2 Combodo iTop versions prior to 3.2.0 **Description** The issue allows an unauthenticated user to perform user enumeration, making it easier to brute force a valid account. This is due to the sentence displayed after resetting a password indicating whether the user exists or not. **Recommendations** For versions prior to 2.7.11, upgrade to version 2.7.11 or later. For versions prior to 3.0.5, upgrade to version 3.0.5 or later. For versions prior to 3.1.2, upgrade to version 3.1.2 or later. For versions prior to 3.2.0, upgrade to version 3.2.0 or later. As a temporary workaround for users unable to upgrade, overload the dictionary entry `UI:ResetPwd-Error-WrongLogin` through an extension and replace it with a generic message.

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 2.7.11 Combodo iTop versions prior to 3.0.5 Combodo iTop versions prior to 3.1.2 Combodo iTop versions prior to 3.2.0 **Description** This issue allows an attacker to create HTTP requests on behalf of the server from a low-privileged user. The user portal form manager has been fixed to only instantiate classes derived from it. **Recommendations** For versions prior to 2.7.11, upgrade to version 2.7.11 or later. For versions prior to 3.0.5, upgrade to version 3.0.5 or later. For versions prior to 3.1.2, upgrade to version 3.1.2 or later. For versions prior to 3.2.0, upgrade to version 3.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Combodo iTop versions prior to 2.7.11 Combodo iTop versions prior to 3.0.5 Combodo iTop versions prior to 3.1.2 Combodo iTop versions prior to 3.2.0 **Description** Combodo iTop is a simple, web-based IT Service Management tool. The issue allows anyone having access to the iTop URI to read server, OS, DBMS, PHP, and iTop information, including name, version, and parameters. **Recommendations** For versions prior to 2.7.11, upgrade to version 2.7.11 or later. For versions prior to 3.0.5, upgrade to version 3.0.5 or later. For versions prior to 3.1.2, upgrade to version 3.1.2 or later. For versions prior to 3.2.0, upgrade to version 3.2.0 or later.