Все бюллетени/c10f2/ALT-PU-2025-10037-3
ALT-PU-2025-10037-3

Обновление пакета itop в ветке c10f2

Версия3.2.1.1-alt1
Задание#391669
Опубликовано2025-08-06
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (7)

CVE-2024-52601
MEDIUM6.5

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can have read access to objects they're not allowed to see by querying an unprotected route. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.

Опубликовано: 2025-05-14Изменено: 2025-08-01
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2024-56157
MEDIUM6.3

iTop is an web based IT Service Management tool. Prior to versions 3.1.3 and 3.2.1, by filling malicious code in a CSV content, a cross-site scripting attack can be performed when importing this content. The issue is fixed in versions 3.1.3 and 3.2.1. As a workaround, check CSV content before importing it.

Опубликовано: 2025-05-14Изменено: 2025-08-01
CVSS 3.xСРЕДНЯЯ 6.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Ссылки
CVE-2025-24021
MEDIUM5.0

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.

Опубликовано: 2025-05-14Изменено: 2025-08-22
CVSS 3.xСРЕДНЯЯ 5.0
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Ссылки
CVE-2025-24022
HIGH8.5

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1.

Опубликовано: 2025-05-14Изменено: 2026-01-16
CVSS 3.xВЫСОКАЯ 8.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Ссылки
CVE-2025-24026
MEDIUM5.3

iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS) that may, under some circumstances, affect iTop server. Version 3.2.1 doesn't use the affected variable in the regular expression. As a workaround, if iTop app_root_url is defined in the configuration file, then there is no possible way to exploit this ReDoS.

Опубликовано: 2025-05-14Изменено: 2025-08-01
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2025-24785
MEDIUM4.3

iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The next user trying to load this dashboard would encounter a crashed start page. Version 3.2.1 fixes the issue by checking the provided layout_class before saving the dashboard.

Опубликовано: 2025-05-14Изменено: 2025-08-01
CVSS 3.xСРЕДНЯЯ 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Ссылки
CVE-2025-24969
MEDIUM5.0

iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue.

Опубликовано: 2025-05-14Изменено: 2025-08-05
CVSS 3.xСРЕДНЯЯ 5.0
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Ссылки