Every CVE whose affected-product data names Combodo Itop, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (81)
CVE-2023-48710 — CVSS 9.8 (critical): iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted…
CVE-2022-39214 — CVSS 9.6 (critical): Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on…
CVE-2021-41161 — CVSS 9.3 (critical): Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user…
CVE-2021-41162 — CVSS 9.3 (critical): Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper`…
CVE-2023-34445 — CVSS 8.8 (high): Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.render.php XSS are possible for scripts outside…
CVE-2023-34447 — CVSS 8.8 (high): iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, on `pages/UI.php`, cross site…
CVE-2025-47932 — CVSS 8.8 (high): Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a…
CVE-2023-34444 — CVSS 8.8 (high): Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.searchform.php XSS are possible for scripts…
CVE-2023-34443 — CVSS 8.8 (high): Combodo iTop is a simple, web based IT Service Management tool. When displaying page Run queries Cross-site Scripting (XSS) are possible…
CVE-2025-47773 — CVSS 8.8 (high): Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a…
CVE-2025-48065 — CVSS 8.8 (high): Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a…
CVE-2023-47626 — CVSS 8.8 (high): iTop is an IT service management platform. When displaying/editing the user's personal tokens, XSS attacks are possible. This vulnerability…
CVE-2024-31998 — CVSS 8.8 (high): Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed…
CVE-2024-31448 — CVSS 8.8 (high): Combodo iTop is a simple, web based IT Service Management tool. By filling malicious code in a CSV content, an Cross-site Scripting (XSS)…
CVE-2023-34446 — CVSS 8.8 (high): iTop is an open source, web-based IT service management platform. Prior to versions 3.0.4 and 3.1.0, when displaying `pages/preferences.php`…
CVE-2023-47622 — CVSS 8.8 (high): iTop is an IT service management platform. When dashlet are refreshed, XSS attacks are possible. This vulnerability is fixed in 3.0.4 and…
CVE-2022-24780 — CVSS 8.8 (high): Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG…
CVE-2024-52002 — CVSS 8.8 (high): Combodo iTop is a simple, web based IT Service Management tool. Several url endpoints are subject to a Cross-Site Request Forgery (CSRF)…
CVE-2023-47123 — CVSS 8.7 (high): iTop is an IT service management platform. By filling malicious code in an object friendlyname / complementary name, an XSS attack can be…
CVE-2022-24870 — CVSS 8.7 (high): Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in…
CVE-2025-49145 — CVSS 8.7 (high): Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create…
CVE-2021-32663 — CVSS 8.7 (high): iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without…
CVE-2025-48055 — CVSS 8.5 (high): Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user…
CVE-2025-24022 — CVSS 8.5 (high): iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the…
CVE-2019-19821 — CVSS 8.1 (high): A post-authentication privilege escalation in the web application of Combodo iTop allows regular authenticated users to access information…
CVE-2019-11215 — CVSS 8.1 (high): In Combodo iTop 2.2.0 through 2.6.0, if the configuration file is writable, then execution of arbitrary code can be accomplished by calling…
CVE-2021-32664 — CVSS 8.1 (high): Combodo iTop is an open source web based IT Service Management tool. In affected versions there is a XSS vulnerability on "run query" page…
CVE-2023-48709 — CVSS 8.0 (high): iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include…
CVE-2021-21407 — CVSS 8.0 (high): Combodo iTop is an open source, web based IT Service Management tool. Prior to version 2.7.4, the CSRF token validation can be bypassed…
CVE-2024-54139 — CVSS 7.9 (high): Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a…
CVE-2023-47489 — CVSS 7.8 (high): CSV injection in export as csv in Combodo iTop v.3.1.0-2-11973 allows a local attacker to execute arbitrary code via a crafted script to…
CVE-2020-4079 — CVSS 7.7 (high): Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the "excel…
CVE-2021-32775 — CVSS 7.7 (high): Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/field…
CVE-2024-51739 — CVSS 7.5 (high): Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it…
CVE-2020-12777 — CVSS 7.5 (high): A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and…
CVE-2019-13967 — CVSS 7.5 (high): iTop 2.2.0 through 2.6.0 allows remote attackers to cause a denial of service (application outage) via many requests to launch a compile…
CVE-2020-12778 — CVSS 7.4 (high): Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2022-39216 — CVSS 7.4 (high): Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is…
CVE-2025-47286 — CVSS 7.2 (high): Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the…
CVE-2018-10642 — CVSS 7.2 (high): Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing…
CVE-2024-51995 — CVSS 7.1 (high): Combodo iTop is a web based IT Service Management tool. An attacker can request any `route` we want as long as we specify an `operation`…
CVE-2025-64167 — CVSS 7.1 (high): Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack…
CVE-2021-32776 — CVSS 6.8 (medium): Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on…
CVE-2020-15221 — CVSS 6.8 (medium): Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage…
CVE-2020-12779 — CVSS 6.8 (medium): Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-15218 — CVSS 6.8 (medium): Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, admin pages are cached, so that their…
CVE-2025-27139 — CVSS 6.8 (medium): Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 are vulnerable to cross-site scripting…
CVE-2023-44396 — CVSS 6.8 (medium): iTop is an IT service management platform. Dashlet edits ajax endpoints can be used to produce XSS. Fixed in iTop 2.7.10, 3.0.4, and 3.1.1.
CVE-2024-52601 — CVSS 6.5 (medium): iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access…
CVE-2021-41245 — CVSS 6.5 (medium): Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by…
CVE-2024-56157 — CVSS 6.3 (medium): iTop is an web based IT Service Management tool. Prior to versions 3.1.3 and 3.2.1, by filling malicious code in a CSV content, a…
CVE-2015-6544 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers…
CVE-2022-31403 — CVSS 6.1 (medium): ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/pages/ajax.render.php.
CVE-2023-47488 — CVSS 6.1 (medium): Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a crafted…
CVE-2022-31402 — CVSS 6.1 (medium): ITOP v3.0.1 was discovered to contain a cross-site scripting (XSS) vulnerability via /itop/webservices/export-v2.php.
CVE-2020-15220 — CVSS 6.1 (medium): Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, two cookies are created for the same…
CVE-2019-13965 — CVSS 6.1 (medium): Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file…
CVE-2019-13966 — CVSS 6.1 (medium): In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This…
CVE-2020-11696 — CVSS 6.1 (medium): In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential…
CVE-2024-52000 — CVSS 6.1 (medium): Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS)…
CVE-2020-11697 — CVSS 6.1 (medium): In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential…
CVE-2024-32870 — CVSS 5.8 (medium): Combodo iTop is a simple, web based IT Service Management tool. Server, OS, DBMS, PHP, and iTop info (name, version and parameters) can be…
CVE-2021-21406 — CVSS 5.8 (medium): Combodo iTop is an open source, web based IT Service Management tool. In versions prior to 2.7.4, there is a command injection…
CVE-2020-12781 — CVSS 5.7 (medium): Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request…
CVE-2023-43790 — CVSS 5.7 (medium): iTop is an IT service management platform. By manipulating HTTP queries, a user can inject malicious content in the fields used for the…
CVE-2024-51994 — CVSS 5.4 (medium): Combodo iTop is a web based IT Service Management tool. In affected versions uploading a text file containing some java script in the…
CVE-2022-24811 — CVSS 5.4 (medium): Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts…
CVE-2025-24026 — CVSS 5.3 (medium): iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS)…
CVE-2023-38511 — CVSS 5.0 (medium): iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config…
CVE-2025-24021 — CVSS 5.0 (medium): iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access…
CVE-2025-24969 — CVSS 5.0 (medium): iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the…
CVE-2025-24785 — CVSS 4.3 (medium): iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The…
CVE-2024-52001 — CVSS 4.3 (medium): Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users are able to access forbidden services…
CVE-2011-4275 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to…
CVE-2025-48878 — CVSS 4.3 (medium): Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference…
CVE-2013-0805 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the search feature in iTop (aka IT Operations Portal) 2.0, 1.2.1, 1.2, and earlier…
CVE-2024-51740 — CVSS 4.3 (medium): Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf of the…
CVE-2020-15219 — CVSS 4.3 (medium): Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, when a download error is triggered in the…
CVE-2023-45808 — CVSS 4.1 (medium): iTop is an IT service management platform. When creating or updating an object, extkey values aren't checked to be in the current user…
CVE-2024-51993 — CVSS 3.4 (low): Combodo iTop is a web based IT Service Management tool. An attacker accessing a backup file or the database can read some passwords for…