CVE-2025-24021 - Vulnerability Details - OpenCVE

ReportizFlow

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Combodo	Itop

Configuration 1 [-]

OR	cpe:2.3:a:combodo:itop::::::::
	cpe:2.3:a:combodo:itop::::::::
	cpe:2.3:a:combodo:itop::::::::

No data.

References

Link	Providers
https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b
https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj

History

Fri, 22 Aug 2025 21:00:00 +0000

Type	Values Removed	Values Added
References		https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b

Fri, 01 Aug 2025 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:combodo:itop::::::::

Wed, 14 May 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 14 May 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.
Title		iTop doesn't have mass assignment of fields in the portal form
Weaknesses		CWE-862
References		https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-05-14T14:48:42.694Z

Updated: 2025-08-26T13:44:18.910Z

Reserved: 2025-01-16T17:31:06.459Z

Link: CVE-2025-24021

Vulnrichment

Updated: 2025-05-14T15:12:53.516Z

NVD

Status : Modified

Published: 2025-05-14T15:15:56.157

Modified: 2025-08-22T21:15:30.793

Link: CVE-2025-24021

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24021", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-16T17:31:06.459Z", "datePublished": "2025-05-14T14:48:42.694Z", "dateUpdated": "2025-08-26T13:44:18.910Z"}, "containers": {"cna": {"title": "iTop doesn't have mass assignment of fields in the portal form", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj"}, {"name": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b", "tags": ["x_refsource_MISC"], "url": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b"}], "affected": [{"vendor": "Combodo", "product": "iTop", "versions": [{"version": "< 2.7.12", "status": "affected"}, {"version": ">= 3.0.0, < 3.1.3", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-22T20:45:11.090Z"}, "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."}], "source": {"advisory": "GHSA-c8hm-h9gv-8jpj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-14T15:12:47.176574Z", "id": "CVE-2025-24021", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T13:44:18.910Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24021", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-14T15:12:47.176574Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T15:12:53.516Z"}}], "cna": {"title": "iTop doesn't have mass assignment of fields in the portal form", "source": {"advisory": "GHSA-c8hm-h9gv-8jpj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Combodo", "product": "iTop", "versions": [{"status": "affected", "version": "< 2.7.12"}, {"status": "affected", "version": ">= 3.0.0, < 3.1.3"}, {"status": "affected", "version": ">= 3.2.0, < 3.2.1"}]}], "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj", "name": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b", "name": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-22T20:45:11.090Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24021", "state": "PUBLISHED", "dateUpdated": "2025-08-26T13:44:18.910Z", "dateReserved": "2025-01-16T17:31:06.459Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-14T14:48:42.694Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC277226-1ABB-4593-B14C-4910541DA298", "versionEndExcluding": "2.7.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C365D2D-CA46-4DA0-8739-7950631132E0", "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BE41CA6-35B8-41BA-B116-B63136CA48C9", "versionEndExcluding": "3.2.1", "versionStartIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."}, {"lang": "es", "value": "iTop es una herramienta web de gesti\u00f3n de servicios de TI. En versiones anteriores a las 2.7.12, 3.1.3 y 3.2.1, cualquier persona con una cuenta y acceso al portal pod\u00eda asignar valores a campos de objeto cuando no deb\u00eda. Las versiones 2.7.12, 3.1.3 y 3.2.1 incluyen una soluci\u00f3n para este problema."}], "id": "CVE-2025-24021", "lastModified": "2025-08-22T21:15:30.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-05-14T15:15:56.157", "references": [{"source": "[email protected]", "url": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Secondary"}]}