CVE-2022-24870
📋 TL;DR
This vulnerability allows authorized users of Combodo iTop to inject malicious scripts into tooltips via the customization mechanism, creating a stored cross-site scripting (XSS) attack vector. The attack can be executed by authenticated users with customization privileges, potentially compromising other users' sessions or stealing sensitive data.
💻 Affected Systems
- Combodo iTop
📦 What is this software?
Itop by Combodo
Itop by Combodo
⚠️ Risk & Real-World Impact
Worst Case
An attacker with authorized access could inject malicious scripts that execute in other users' browsers, leading to session hijacking, credential theft, data exfiltration, or complete compromise of user accounts.
Likely Case
Authorized malicious users or compromised accounts could inject scripts to steal session cookies, perform actions as other users, or deface the application interface.
If Mitigated
With proper input validation and output encoding, the script injection would be neutralized, preventing execution in user browsers.
🎯 Exploit Status
Exploitation requires authorized access to the iTop customization mechanism; the advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.0 beta3 or later
Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3
Restart Required: Yes
Instructions:
1. Backup your iTop installation and database. 2. Download iTop version 3.0.0 beta3 or later from the official repository. 3. Replace the existing installation files with the patched version. 4. Restart the web server service. 5. Verify the update by checking the version in the iTop interface.
🧯 If You Can't Patch
- Restrict user permissions to prevent unauthorized access to customization features.
- Implement web application firewall (WAF) rules to block XSS payloads in tooltip inputs.
🔍 How to Verify
Check if Vulnerable:
Check the iTop version in the application interface or configuration files; if it's 3.0.0 beta, beta1, or beta2, it is vulnerable.Check Version:
Check the 'itop-version.php' file or the application's admin interface for version information.Verify Fix Applied:
After patching, verify the version is 3.0.0 beta3 or later and test tooltip customization for script injection attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual tooltip customization requests containing script tags or JavaScript code in POST data.
- Multiple failed XSS attempts in web server logs.
Network Indicators:
- HTTP requests to customization endpoints with suspicious payloads in parameters.
SIEM Query:
source="web_server_logs" AND (uri_path="/pages/exec.php" OR uri_path LIKE "%/tooltip%") AND (http_method="POST" OR http_method="GET") AND (request_body LIKE "%<script>%" OR request_body LIKE "%javascript:%" OR parameters LIKE "%onerror=%")🔗 References
- https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3
- https://huntr.dev/bounties/1625056040123-Combodo/iTop/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b
- https://www.github.com/combodo/itop/commit/ebbf6e56befda2070b00d68c7c3e531a6ce6b59e
- https://github.com/Combodo/iTop/security/advisories/GHSA-29h7-jw2p-pcw3
- https://huntr.dev/bounties/1625056040123-Combodo/iTop/?token=4d1195d5a50a9f0f7ae9fc24a2b0a3bd907427edaf7ee6ac1f8f31c11d8b7a5d2c204957125e63fd7cf3a87df6d5d12a35f9c7107ba5f33b5f668fa199a36932448b9bf186daa62cb32b5635770730eb68eeeba079b8864ab00358fd0dc65fa406d986525814a14951db2025e117f0098a1f270f5a5b2c935a65b00b5106e5511b61d501c4357654cb8ea76b
- https://www.github.com/combodo/itop/commit/ebbf6e56befda2070b00d68c7c3e531a6ce6b59e
