CVE-2025-48065
📋 TL;DR
This cross-site scripting (XSS) vulnerability in Combodo iTop allows attackers to inject malicious scripts into error messages that are displayed to users. When exploited, this can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users. Organizations running iTop versions before 2.7.13 or 3.2.2 are affected.
💻 Affected Systems
- Combodo iTop
📦 What is this software?
Itop by Combodo
Itop by Combodo
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, administrative privilege escalation, data exfiltration, and full compromise of the iTop instance and connected systems.
Likely Case
Session hijacking, credential theft, unauthorized data access, and manipulation of iTop records by authenticated attackers.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.
🎯 Exploit Status
Exploitation requires the attacker to trigger an error with malicious content that gets displayed to users. Likely requires some level of access to create/modify records.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.13 or 3.2.2
Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-292c-hgcf-2g22
Restart Required: Yes
Instructions:
1. Backup your iTop instance and database. 2. Download the patched version from the official iTop repository. 3. Follow the iTop upgrade documentation for your version. 4. Apply the update files to your installation. 5. Run the setup/upgrade process. 6. Verify the installation works correctly.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources and mitigate XSS impact
Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'
Input Validation Enhancement
allImplement additional input validation for all user-controllable fields
Review and enhance validation in custom fields and extensions
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to limit script execution
- Deploy a Web Application Firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check iTop version in the application interface or configuration files. Versions below 2.7.13 or 3.2.2 are vulnerable.Check Version:
Check the 'itop/application/version.inc.php' file or the About page in the iTop interfaceVerify Fix Applied:
After patching, verify the version shows 2.7.13 or higher (for 2.x) or 3.2.2 or higher (for 3.x). Test error message rendering with test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual error messages containing script tags or JavaScript code
- Multiple failed validation attempts on fields
- Suspicious user input patterns in application logs
Network Indicators:
- HTTP requests containing script payloads in parameters
- Unexpected external script loads in error pages
SIEM Query:
source="iTop_logs" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")