CVE-2019-13965

Name of the Vulnerable Software and Affected Versions: iTop versions prior to 2.6.1

Description: The issue is related to a lack of sanitization around error messages, leading to multiple Reflective XSS issues. These issues exist in various PHP files, including webservices/export.php, webservices/cron.php, and env-production/itop-backup/backup.php, via the param file parameter. By default, any XSS sent to the administrator can be transformed into remote command execution. The Reflective XSS can also become a stored XSS within the same account due to another vulnerability.

Recommendations: For iTop versions prior to 2.6.1, update to version 2.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the webservices/export.php, webservices/cron.php, and env-production/itop-backup/backup.php files to minimize the risk of exploitation. Avoid using the param file parameter in the affected API endpoints until the issue is resolved.