CVE-2023-48710

critical

Description

iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won't be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

References

https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc

https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26

Details

Source: Mitre, NVD

Published: 2024-04-15

Updated: 2025-02-06

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00969