Cyblex Technologies’ pentesters have discovered several vulnerabilities affecting versions prior to 2.7.2 and 3.0.0 of Combodo’s iTop software. We shared them with the editor who has since corrected them.
What are the vulnerabilities identified?
The high severity CVE-2020-15220 allowed two cookies to be created for a single session, which could lead to spoofing user sessions, including sessions with admin rights.
CVE-2020-15218, of moderate severity, causes caching of Admin pages, making their content visible after logging out of the account using the browser’s Back button. Admin pages can also be inserted into an iframe.
CVE-2020-15219, of moderate severity, made a SQL query visible for the user when a download error was triggered in the user portal. The risk was to give malicious people sensitive information on how the software works.
CVE-2020-15221, of moderate severity, could generate XSS in the breadcrumb trail of the iTop console if the local storage of the target browser was changed.
How to protect yourself:
These CVEs were corrected in patches 2.7.2 and 3.0.0. Update them if you are using an older version.
If you want to know which vulnerabilities threaten your website, software and information systems before cybercriminals take advantage of them, a pentest will help you in identifying them, assessing the degree of risk involved, and setting an order for the prioritization of the corrections. At Cyblex Technologies, our team of pentesters offers this type of services to help companies in protecting themselves against website and information system intrusions, and thus limit, among other things, data theft and ransomware.