Vulnerabilities > Combodo

DATE CVE VULNERABILITY TITLE RISK
2020-03-16 CVE-2019-19821 Cross-site Scripting vulnerability in Combodo Itop
A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information and modify information with administrative privileges by not following the HTTP Location header in server responses.
network
low complexity
combodo CWE-79
8.1
2020-02-14 CVE-2019-13967 Unspecified vulnerability in Combodo Itop
iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile operation.
network
low complexity
combodo
7.5
2020-02-14 CVE-2019-13966 Cross-site Scripting vulnerability in Combodo Itop
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard.
network
low complexity
combodo CWE-79
6.1
2020-02-14 CVE-2019-13965 Cross-site Scripting vulnerability in Combodo Itop
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php.
network
low complexity
combodo CWE-79
6.1
2020-02-14 CVE-2019-11215 Incorrect Permission Assignment for Critical Resource vulnerability in Combodo Itop
In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling ajax.dataloader with a maliciously crafted payload.
network
high complexity
combodo CWE-732
8.1
2019-04-04 CVE-2019-10863 Code Injection vulnerability in Combodo Teemip
A command injection vulnerability exists in TeemIp versions before 2.4.0.
network
low complexity
combodo CWE-94
7.2
2018-05-02 CVE-2018-10642 Code Injection vulnerability in Combodo Itop
Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval().
network
low complexity
combodo CWE-94
7.2
2018-02-20 CVE-2015-6544 Cross-site Scripting vulnerability in Combodo Itop
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title.
network
low complexity
combodo CWE-79
6.1