No silo check on extkey in console and portal
Package
iTop
(SourceForge)
Affected versions
< 2.7.10, < 3.0.4, < 3.1.1, <3.2.0
Patched versions
2.7.10, 3.0.4, 3.1.1, 3.2.0
Description
Credits
-
lujiefsi Reporter
Impact
When creating or updating an object, extkey values aren't checked against current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects: for example a UserRequest in an out of scop Organization.
Patches
Fixed in iTop 2.7.10, 3.0.4, 3.1.1, 3.2.0
References
Credits
@lujiefsi
For more information
If you have any questions or comments about this advisory:
Email us at itop-security@combodo.com