CVE-2024-51739

Name of the Vulnerable Software and Affected Versions Combodo iTop versions prior to 2.7.11 Combodo iTop versions prior to 3.0.5 Combodo iTop versions prior to 3.1.2 Combodo iTop versions prior to 3.2.0

Description The issue allows an unauthenticated user to perform user enumeration, making it easier to brute force a valid account. This is due to the sentence displayed after resetting a password indicating whether the user exists or not.

Recommendations For versions prior to 2.7.11, upgrade to version 2.7.11 or later. For versions prior to 3.0.5, upgrade to version 3.0.5 or later. For versions prior to 3.1.2, upgrade to version 3.1.2 or later. For versions prior to 3.2.0, upgrade to version 3.2.0 or later. As a temporary workaround for users unable to upgrade, overload the dictionary entry UI:ResetPwd-Error-WrongLogin through an extension and replace it with a generic message.