CVE-2025-64167 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2025-64167?

CVE-2025-64167 has a CVSS score of 7.1 (HIGH). This vulnerability allows attackers to inject malicious JavaScript via the URL parameter in Combodo iTop's export.php file, leading to cross-site scripting attacks. Users of iTop versions prior to 2.7.13 and 3.2.2 are affected when accessing the deprecated export.php endpoint.

📋 TL;DR

This vulnerability allows attackers to inject malicious JavaScript via the URL parameter in Combodo iTop's export.php file, leading to cross-site scripting attacks. Users of iTop versions prior to 2.7.13 and 3.2.2 are affected when accessing the deprecated export.php endpoint.

💻 Affected Systems

Products:

Combodo iTop

Versions: All versions prior to 2.7.13 and 3.2.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the deprecated export.php endpoint. Versions 2.7.13 and 3.2.2 use export-v2.php instead.

📦 What is this software?

Itop by Combodo

View all CVEs affecting Itop →

Itop by Combodo

View all CVEs affecting Itop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to full account compromise.

🟠

Likely Case

Attackers inject malicious scripts that steal user session data or credentials when victims visit crafted URLs.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (visiting malicious URL) but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.13 or 3.2.2

Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-pr7w-2cr9-5h38

Restart Required: No

Instructions:

1. Backup your iTop installation. 2. Upgrade to iTop version 2.7.13 or 3.2.2. 3. Verify export.php is no longer accessible.

🔧 Temporary Workarounds

Disable export.php endpoint

linux

Remove or restrict access to the vulnerable export.php file

mv /path/to/itop/export.php /path/to/itop/export.php.disabled

Implement WAF rules

all

Add web application firewall rules to block malicious URL parameters

🧯 If You Can't Patch

Implement strict Content Security Policy headers
Deploy web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if export.php exists in your iTop installation directory and verify version is below 2.7.13 or 3.2.2

Check Version:

Check iTop configuration file or admin interface for version number

Verify Fix Applied:

Confirm export.php is removed or inaccessible, and version is 2.7.13 or 3.2.2

📡 Detection & Monitoring

Log Indicators:

Unusual access to export.php with suspicious URL parameters
Multiple failed attempts to access export.php

Network Indicators:

HTTP requests to export.php containing script tags or JavaScript in URL parameters

SIEM Query:

source="web_server" AND uri="/export.php" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-64167

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (17th percentile)

Published: November 10, 2025

Last Updated: November 21, 2025

🔗 References

https://github.com/Combodo/iTop/security/advisories/GHSA-pr7w-2cr9-5h38 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64167, you might also want to check these: