Dashboard editor vulnerable dashboard config file parameter

Moderate

Molkobain published GHSA-323r-chx5-m9gm

Apr 15, 2024

Package

iTop (SourceForge)

Affected versions

>3.0.0

Patched versions

3.0.4, 3.1.1

Description

Impact

Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file.

Patches

Fixed in 3.0.4, 3.1.1

References

Synacktiv publication : https://www.synacktiv.com/advisories/file-read-in-itop
Combodo ref N°6552 and N°6581

Credits

Many thanks to Jérôme Mampianinazakason (Synacktiv) for this report !

For more information

If you have any questions or comments about this advisory:
Email us at itop-security@combodo.com

Severity

Moderate

5.0

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N