CVE-2025-27139
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into the preferences page of Combodo iTop, a web-based IT service management tool. When exploited, it enables cross-site scripting attacks that can steal session cookies, redirect users, or perform actions on their behalf. Organizations using iTop versions prior to 2.7.12, 3.1.2, or 3.2.0 are affected.
💻 Affected Systems
- Combodo iTop
📦 What is this software?
Itop by Combodo
Itop by Combodo
Itop by Combodo
Itop by Combodo
Itop by Combodo
Itop by Combodo
Itop by Combodo
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full administrative access to iTop, and potentially compromises the entire IT service management system and connected infrastructure.
Likely Case
Attacker steals user session cookies, impersonates legitimate users, accesses sensitive IT service data, and performs unauthorized actions within their permission scope.
If Mitigated
Script execution is blocked by Content Security Policy or input validation, limiting impact to minor UI disruption without data compromise.
🎯 Exploit Status
Exploitation requires user interaction with malicious link or crafted content; authenticated access to preferences page needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.12, 3.1.2, or 3.2.0
Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-c6mg-9537-c8cf
Restart Required: Yes
Instructions:
1. Backup your iTop installation and database. 2. Download the patched version (2.7.12, 3.1.2, or 3.2.0) from official sources. 3. Follow the iTop upgrade documentation for your version. 4. Restart the web server service. 5. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Content Security Policy Implementation
allImplement strict Content Security Policy headers to block inline script execution and restrict script sources.
Add to web server configuration: Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval';
Input Validation Filter
allAdd web application firewall rules or input validation to sanitize user input on preferences page.
Configure WAF to filter <script> tags and JavaScript event handlers in POST/GET parameters
🧯 If You Can't Patch
- Restrict access to iTop application to trusted networks only using firewall rules.
- Implement strong session management with short timeouts and secure cookie attributes (HttpOnly, Secure).
🔍 How to Verify
Check if Vulnerable:
Check iTop version in administration panel or by examining the application files; versions below 2.7.12, 3.1.2, or 3.2.0 are vulnerable.Check Version:
Check iTop configuration file or administration dashboard for version information.Verify Fix Applied:
After patching, verify version shows 2.7.12, 3.1.2, or 3.2.0 in administration panel and test preferences page functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to preferences page with script tags or JavaScript code
- Multiple failed login attempts followed by preferences page access
Network Indicators:
- HTTP requests containing <script> tags or JavaScript in URL parameters or POST data to preferences endpoint
SIEM Query:
source="iTop_logs" AND (uri_path="/pages/preferences" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))