CVE-2021-41161
📋 TL;DR
This vulnerability allows attackers to inject malicious JavaScript into CSV files exported from Combodo iTop. When users open these CSV files, the JavaScript executes in their browser context, potentially leading to session hijacking or credential theft. All users of iTop versions before 3.0.0-beta6 are affected.
💻 Affected Systems
- Combodo iTop
📦 What is this software?
Itop by Combodo
Itop by Combodo
Itop by Combodo
Itop by Combodo
Itop by Combodo
Itop by Combodo
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users.
Likely Case
Attackers inject malicious JavaScript that steals user session cookies or credentials when users open exported CSV files.
If Mitigated
With proper Content Security Policy headers and user awareness training, impact is limited to individual user sessions rather than system compromise.
🎯 Exploit Status
Exploitation requires authenticated access to the CSV export functionality. The vulnerability is a classic cross-site scripting (XSS) issue in CSV output.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.0-beta6 and later
Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc
Restart Required: Yes
Instructions:
1. Backup your iTop installation and database. 2. Download iTop version 3.0.0-beta6 or later from the official repository. 3. Follow the iTop upgrade documentation to apply the update. 4. Restart your web server. 5. Verify the fix by testing CSV export functionality.
🔧 Temporary Workarounds
Disable CSV Export
allTemporarily disable CSV export functionality in iTop to prevent exploitation
Modify iTop configuration to remove CSV export permissions from user roles
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to mitigate XSS impact
- Restrict CSV export permissions to trusted administrators only
🔍 How to Verify
Check if Vulnerable:
Check your iTop version in the administration panel or by examining the version.php file. If version is below 3.0.0-beta6, you are vulnerable.Check Version:
Check the version in iTop web interface under Administration → About, or examine the file 'version.php' in the iTop installation directory.Verify Fix Applied:
After upgrading, test CSV export functionality and verify that user-supplied parameters are properly escaped in the output.📡 Detection & Monitoring
Log Indicators:
- Unusual CSV export requests with JavaScript payloads in parameters
- Multiple CSV export requests from single users in short timeframes
Network Indicators:
- CSV file downloads containing JavaScript code
- Requests to CSV export endpoints with suspicious parameter values
SIEM Query:
source="iTop_logs" AND ("export.php" OR "csv") AND ("script" OR "javascript" OR "onload" OR "onerror")🔗 References
- https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22
- https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc
- https://github.com/Combodo/iTop/commit/c8f3d23d30c018bc44189b38fa34a5fffb4edb22
- https://github.com/Combodo/iTop/security/advisories/GHSA-788f-g6g9-f8fc
