CVE-2024-51994
📋 TL;DR
This CVE describes a stored cross-site scripting (XSS) vulnerability in Combodo iTop's portal where uploading a text file containing JavaScript can execute malicious code in users' browsers. All users of affected iTop versions are vulnerable. Attackers could steal session cookies, perform actions as authenticated users, or deface the portal.
💻 Affected Systems
- Combodo iTop
📦 What is this software?
Itop by Combodo
Itop by Combodo
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full administrative access to the iTop instance, modifies configurations, accesses sensitive IT service management data, and potentially pivots to other systems.
Likely Case
Attacker uploads malicious file via portal, steals session cookies from users who view/download the file, impersonates those users to access or modify service tickets and IT assets.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, limiting impact to file upload functionality disruption.
🎯 Exploit Status
Exploitation requires access to upload files via the portal interface. The advisory suggests the vulnerability is in how uploaded text files are processed and displayed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.0
Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-jjph-c25g-5c7g
Restart Required: Yes
Instructions:
1. Backup your iTop instance and database. 2. Download iTop version 3.2.0 or later from official sources. 3. Follow the iTop upgrade documentation to apply the update. 4. Restart your web server. 5. Verify the portal functionality works correctly.
🔧 Temporary Workarounds
Disable portal file uploads
allTemporarily disable file upload functionality in the iTop portal configuration to prevent exploitation.
Modify portal configuration files to remove or restrict file upload capabilities
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Deploy a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check your iTop version via the administration interface or by examining the installation directory. Versions below 3.2.0 are vulnerable.Check Version:
Check the 'itop/version.php' file or the 'About' section in the iTop administration interfaceVerify Fix Applied:
After upgrading to 3.2.0 or later, test file upload functionality in the portal with test scripts to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to portal endpoints
- JavaScript content in uploaded text files
- Multiple failed upload attempts with script-like content
Network Indicators:
- POST requests to portal upload endpoints containing JavaScript
- Subsequent requests with stolen session cookies
SIEM Query:
source="iTop_logs" AND (url_path="/portal/upload" OR message="file upload") AND (message CONTAINS "script" OR message CONTAINS "javascript")