cnvd - cnvd-2021-03527

cnvd-2021-03527

Vulnerability from cnvd

Title: Combodo iTop跨站脚本漏洞（CNVD-2021-03527）

Description:

Combodo iTop是一款用于管理硬件、软件和相关服务的免费软件。

Combodo iTop 2.7.2、3.0.0之前版本存在跨站脚本漏洞。攻击者可通过修改目标浏览器的本地存储利用该漏洞进行跨站脚本攻击。

Severity: 低

Patch Name: Combodo iTop跨站脚本漏洞（CNVD-2021-03527）的补丁

Patch Description:

Combodo iTop是一款用于管理硬件、软件和相关服务的免费软件。

Combodo iTop 2.7.2、3.0.0之前版本存在跨站脚本漏洞。攻击者可通过修改目标浏览器的本地存储利用该漏洞进行跨站脚本攻击。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-15221

Impacted products

Name
['Combodo Combodo iTop <2.7.2', 'Combodo Combodo iTop <3.0.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-15221",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-15221"
    }
  },
  "description": "Combodo iTop\u662f\u4e00\u6b3e\u7528\u4e8e\u7ba1\u7406\u786c\u4ef6\u3001\u8f6f\u4ef6\u548c\u76f8\u5173\u670d\u52a1\u7684\u514d\u8d39\u8f6f\u4ef6\u3002\n\nCombodo iTop 2.7.2\u30013.0.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u4fee\u6539\u76ee\u6807\u6d4f\u89c8\u5668\u7684\u672c\u5730\u5b58\u50a8\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-03527",
  "openTime": "2021-01-16",
  "patchDescription": "Combodo iTop\u662f\u4e00\u6b3e\u7528\u4e8e\u7ba1\u7406\u786c\u4ef6\u3001\u8f6f\u4ef6\u548c\u76f8\u5173\u670d\u52a1\u7684\u514d\u8d39\u8f6f\u4ef6\u3002\r\n\r\nCombodo iTop 2.7.2\u30013.0.0\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u4fee\u6539\u76ee\u6807\u6d4f\u89c8\u5668\u7684\u672c\u5730\u5b58\u50a8\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Combodo iTop\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2021-03527\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Combodo Combodo iTop \u003c2.7.2",
      "Combodo Combodo iTop \u003c3.0.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-15221",
  "serverity": "\u4f4e",
  "submitTime": "2021-01-14",
  "title": "Combodo iTop\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2021-03527\uff09"
}

CVE-2020-15221 (GCVE-0-2020-15221)

Vulnerability from cvelistv5

Published

2021-01-13 17:10

Modified

2024-08-04 13:08

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-79 - Cross-site Scripting (XSS)

Summary

Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0.

References

▼	URL	Tags
	https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Combodo	iTop	Version: < 2.7.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:08:23.137Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "iTop",
          "vendor": "Combodo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.7.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-13T17:10:15",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw"
        }
      ],
      "source": {
        "advisory": "GHSA-w6g2-p7pf-7hvw",
        "discovery": "UNKNOWN"
      },
      "title": "XSS in the breadcrumbs",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15221",
          "STATE": "PUBLIC",
          "TITLE": "XSS in the breadcrumbs"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "iTop",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2.7.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Combodo"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw",
              "refsource": "CONFIRM",
              "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-w6g2-p7pf-7hvw",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-15221",
    "datePublished": "2021-01-13T17:10:15",
    "dateReserved": "2020-06-25T00:00:00",
    "dateUpdated": "2024-08-04T13:08:23.137Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted