Vulnerability Details : CVE-2022-39214
Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1.
Products affected by CVE-2022-39214
- cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*
- cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-39214
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 62 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-39214
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
NIST | |
9.6
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
3.1
|
5.8
|
GitHub, Inc. |
CWE ids for CVE-2022-39214
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-39214
-
https://github.com/Combodo/iTop/commit/bdebea62b642622ed71410b26c81e8537e6e58fa
N°5394 - use session for the FSM (use Session object) · Combodo/iTop@bdebea6 · GitHubPatch
-
https://github.com/Combodo/iTop/commit/4c1df9927d1dc6b0181ee20721f93346def026fd
N°5394 - use session for the FSM · Combodo/iTop@4c1df99 · GitHubPatch
-
https://github.com/Combodo/iTop/security/advisories/GHSA-vj96-j84g-jhx4
Authenticated users can takeover any account · Advisory · Combodo/iTop · GitHubVendor Advisory
Jump to