Vulnerabilities > CVE-2023-48710 - Files or Directories Accessible to External Parties vulnerability in Combodo Itop
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won't be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26
- https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26
- https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc
- https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc