CVE-2025-47773 – Combodo iTop versions before 2.7.13 and 3.2.2 c... (How to Fix)

Q: What is the severity of CVE-2025-47773?

CVE-2025-47773 has a CVSS score of 8.8 (HIGH). Combodo iTop versions before 2.7.13 and 3.2.2 contain a cross-site scripting vulnerability in dashboard editing via AJAX calls. This allows attackers to inject malicious scripts that execute in users' browsers when viewing manipulated dashboards. All users of affected iTop versions are vulnerable.

📋 TL;DR

Combodo iTop versions before 2.7.13 and 3.2.2 contain a cross-site scripting vulnerability in dashboard editing via AJAX calls. This allows attackers to inject malicious scripts that execute in users' browsers when viewing manipulated dashboards. All users of affected iTop versions are vulnerable.

💻 Affected Systems

Products:

Combodo iTop

Versions: All versions prior to 2.7.13 and 3.2.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to edit dashboards via AJAX calls.

📦 What is this software?

Itop by Combodo

View all CVEs affecting Itop →

Itop by Combodo

View all CVEs affecting Itop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.

🟠

Likely Case

Session hijacking leading to unauthorized access, data theft, or privilege escalation within the iTop application.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though some client-side disruption may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to dashboard editing functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.13 or 3.2.2

Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-9qmf-5457-9xp3

Restart Required: Yes

Instructions:

1. Backup your iTop installation and database. 2. Download iTop version 2.7.13 or 3.2.2 from official sources. 3. Follow the iTop upgrade documentation for your version. 4. Restart the web server service.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation for all dashboard editing parameters

Content Security Policy

all

Implement strict CSP headers to limit script execution

🧯 If You Can't Patch

Restrict dashboard editing permissions to trusted administrators only
Implement web application firewall rules to block suspicious AJAX requests

🔍 How to Verify

Check if Vulnerable:

Check iTop version in administration panel or by examining the installation directory version files

Check Version:

Check the 'version.php' file in iTop installation directory or use the web interface's About page

Verify Fix Applied:

Verify version is 2.7.13 or higher for 2.x branch, or 3.2.2 or higher for 3.x branch

📡 Detection & Monitoring

Log Indicators:

Unusual AJAX requests to dashboard editing endpoints
Suspicious script tags or JavaScript in dashboard content

Network Indicators:

Malicious script payloads in HTTP POST requests to dashboard AJAX endpoints

SIEM Query:

source="iTop" AND (uri_path="/pages/ajax.render.php" OR uri_path="/pages/ajax.dashboard.php") AND (http_method="POST") AND (content CONTAINS "<script>" OR content CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-47773

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.05% exploit probability (13.6th percentile)

Published: November 10, 2025

Last Updated: November 21, 2025

🔗 References

https://github.com/Combodo/iTop/security/advisories/GHSA-9qmf-5457-9xp3 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47773, you might also want to check these: