CVE-2019-11215

Name of the Vulnerable Software and Affected Versions Combodo iTop versions 2.2.0 through 2.6.0

Description The issue allows for the execution of arbitrary code by calling "ajax.dataloader" with a maliciously crafted payload if the configuration file is writable. Several conditions can make the configuration file writable, including during installation, upgrade, or when an error occurs during file modification from the web interface, which can be triggered with XSS. Additionally, a race condition can be triggered by the hub-connector module in the community version from 2.4.1 to 2.6.0, or when editing the file in a CLI.

Recommendations For Combodo iTop versions 2.2.0 through 2.6.0, consider restricting access to the "ajax.dataloader" endpoint until a fix is available. As a temporary workaround, ensure the configuration file is not writable to prevent exploitation. Restrict access to the hub-connector module in community versions from 2.4.1 to 2.6.0 to minimize the risk of the race condition. Avoid using the web interface to modify the configuration file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.