Skip to content

Cross-Site Request Forgery (CSRF) in several iTop pages

High
BenGrenoble published GHSA-xr4x-xq7v-7gqm Nov 8, 2024

Package

iTop

Affected versions

< 3.2

Patched versions

3.2.0

Description

Impact

Affected URLs:
/
/pages/UI.php
/pages/ajax.render.php
/pages/ajax.searchform.php
/pages/exec.php
/pages/exec.php/object/apply-stimulus/ev_wait_for_approval/UserRequest/5917
/pages/exec.php/object/apply-stimulus/ev_wait_for_approval/UserRequest/6399
/pages/exec.php/object/attachment/add
/pages/exec.php/object/create/Incident
/pages/exec.php/object/create/UserRequest
/pages/exec.php/object/edit/Incident/5648
/pages/exec.php/object/edit/Person/324
/pages/exec.php/object/edit/UserRequest/5917
/pages/exec.php/object/get-information/json
/pages/exec.php/object/search/from-attribute/contacts_list/Incident
/pages/exec.php/object/search/from-attribute/contacts_list/UserRequest
/pages/exec.php/object/search/from-attribute/related_request_list/UserRequest
/pages/exec.php/object/view/Organization/4
/pages/exec.php/object/view/Person/300
/pages/exec.php/object/view/Person/324
/pages/exec.php/session-message/add
/pages/exec.php/user
/pages/run_query.php

Patches

Method recommended by OWASP: Custom request header

References

N°7124 - [SECU] Cross-Site Request Forgery (CSRF) in several iTop pages

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CVE ID

CVE-2024-52002

Weaknesses

No CWEs