CVE-2025-47286 | THREATINT

Description

Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it.

PUBLISHED Reserved 2025-05-05 | Published 2025-11-10 | Updated 2025-11-10 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Product status

< 2.7.13

affected

>= 3.0.0-alpha, < 3.2.2

affected

References

github.com/...o/iTop/security/advisories/GHSA-4w93-rw6g-5m9c

cve.org (CVE-2025-47286)

nvd.nist.gov (CVE-2025-47286)

Download JSON