Product
combodo itop
81 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-64167
CVE-2025-49145
CVE-2025-48878
CVE-2025-48065
CVE-2025-48055
CVE-2025-47932
CVE-2025-47773
CVE-2025-47286
CVE-2025-24969
CVE-2025-24785
CVE-2025-24026
CVE-2025-24022
CVE-2025-24021
CVE-2024-56157
CVE-2024-52601
CVE-2025-27139
CVE-2024-54139
CVE-2024-52002
CVE-2024-52001
CVE-2024-52000
CVE-2024-51995
CVE-2024-51994
CVE-2024-51993
CVE-2024-51740
CVE-2024-51739
CVE-2024-32870
CVE-2024-31998
CVE-2024-31448
CVE-2023-34445
CVE-2023-34444
CVE-2023-34443
CVE-2023-48710
CVE-2023-48709
CVE-2023-47626
CVE-2023-47622
CVE-2023-47123
CVE-2023-45808
CVE-2023-44396
CVE-2023-43790
CVE-2023-38511
CVE-2023-47489
CVE-2023-47488
CVE-2023-34447
CVE-2023-34446
CVE-2022-39216
CVE-2022-39214
CVE-2022-31403
CVE-2022-31402
CVE-2022-24870
CVE-2021-41162
CVE-2021-41161
CVE-2022-24811
CVE-2022-24780
CVE-2021-41245
CVE-2021-32664
CVE-2021-32663
CVE-2021-32776
CVE-2021-32775
CVE-2021-21407
CVE-2021-21406
CVE-2020-15221
CVE-2020-15220
CVE-2020-15219
CVE-2020-15218
CVE-2020-4079
CVE-2020-12781
CVE-2020-12780
CVE-2020-12779
CVE-2020-12778
CVE-2020-12777
CVE-2020-11696
CVE-2020-11697
CVE-2019-19821
CVE-2019-13967
CVE-2019-13966
CVE-2019-13965
CVE-2019-11215
CVE-2018-10642
CVE-2015-6544
CVE-2013-0805
CVE-2011-4275
< 2.7.13
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scriptin
< 2.7.13
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to cr
>= 3.0.0 and < 3.2.2
Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object re
< 2.7.13
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting
< 3.2.2
Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in t
< 2.7.13
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting
< 2.7.13
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting
< 2.7.13
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing th
< 3.2.1
iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by chang
>= 3.2.0 and < 3.2.1
iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error
< 3.2.1
iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (R
< 2.7.12
iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible thr
< 2.7.12
iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal
< 3.1.3
iTop is an web based IT Service Management tool. Prior to versions 3.1.3 and 3.2.1, by filling malicious code in a CSV content, a
< 2.7.12
iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal
< 2.7.12
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 are vulnerable to cross-site sc
< 2.7.11
Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has
< 3.2.0
Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery
< 3.2.0
Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users are able to access forbidden ser
< 3.2.0
Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting
< 3.2.0
Combodo iTop is a web based IT Service Management tool. An attacker can request any
route we want as long as we specify an `oper< 2.7.11
Combodo iTop is a web based IT Service Management tool. In affected versions uploading a text file containing some java script in
< 3.2.0
Combodo iTop is a web based IT Service Management tool. An attacker accessing a backup file or the database can read some password
< 2.7.11
Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf o
< 2.7.11
Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make
< 2.7.11
Combodo iTop is a simple, web based IT Service Management tool. Server, OS, DBMS, PHP, and iTop info (name, version and parameters
< 3.1.2
Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has b
< 3.1.2
Combodo iTop is a simple, web based IT Service Management tool. By filling malicious code in a CSV content, an Cross-site Scriptin
< 2.7.9
Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.render.php XSS are possible for scripts
< 2.7.9
Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.searchform.php XSS are possible for scr
< 2.7.9
Combodo iTop is a simple, web based IT Service Management tool. When displaying page Run queries Cross-site Scripting (XSS) are po
< 2.7.10
iTop is an IT service management platform. Files from the
env-production folder can be retrieved even though they should have r< 2.7.9
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may
>= 3.1.0 and < 3.1.1
iTop is an IT service management platform. When displaying/editing the user's personal tokens, XSS attacks are possible. This vul
< 3.0.4
iTop is an IT service management platform. When dashlet are refreshed, XSS attacks are possible. This vulnerability is fixed in
>= 3.1.0 and < 3.1.1
iTop is an IT service management platform. By filling malicious code in an object friendlyname / complementary name, an XSS attac
< 2.7.10
iTop is an IT service management platform. When creating or updating an object, extkey values aren't checked to be in the current
< 2.7.1
iTop is an IT service management platform. Dashlet edits ajax endpoints can be used to produce XSS. Fixed in iTop 2.7.10, 3.0.4,
>= 3.1.0 and < 3.1.1
iTop is an IT service management platform. By manipulating HTTP queries, a user can inject malicious content in the fields used f
>= 3.0.0 and < 3.0.4
iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashbo
all versions
CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute arbitrary code via a crafted scr
all versions
Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a c
< 3.0.4
iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, on
pages/UI.php, cross siteall versions
iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, when displaying `pages/prefer
> 2.0.2 and < 2.7.8
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password
< 2.7.8
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log
all versions
ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php.
all versions
ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php.
all versions
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be inje
<= 2.7.6
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizar
< 3.0.0
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape
< 2.7.6
Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for sc
< 2.7.6
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can se
< 2.7.6
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by `privUITran
< 2.6.5
Combodo iTop is an open source web based IT Service Management tool. In affected versions there is a XSS vulnerability on "run que
< 2.6.5
iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without au
< 2.7.4
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user,
< 2.7.4
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/
< 2.7.4
Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CSRF token validation can be byp
< 2.7.4
Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection vul
< 2.7.2
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local
< 2.7.2
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the s
< 2.7.2
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, when a download error is triggere
< 2.7.2
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that t
< 2.7.2
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the "e
< 2.7.1
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious sit
< 2.7.1
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
< 2.7.0
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
< 2.7.1
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
< 2.7.1
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command
< 2.7.0
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, es
< 2.7.0
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, esse
< 2.7
A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access inf
>= 2.2.0 and <= 2.6.0
iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a c
<= 2.6.0
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboar
<= 2.6.0
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_
>= 2.2.0 and <= 2.4.0
In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished b
<= 2.4.1
Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by
< 2.2.0-2459
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote at
<= 2.0
Multiple cross-site scripting (XSS) vulnerabilities in the search feature in iTop (aka IT Operations Portal) 2.0, 1.2.1, 1.2, and
all versions
Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attac