{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-24022", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-16T17:31:06.459Z", "datePublished": "2025-05-14T14:57:37.960Z", "dateUpdated": "2026-01-20T15:37:55.868Z"}, "containers": {"cna": {"title": "iTop server vulnerable to portal code injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-rhv2-wfrr-4j2j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-rhv2-wfrr-4j2j"}, {"name": "https://github.com/Combodo/iTop/commit/082d865efaf8a349b60fe3875e9c726c24f8a8bd", "tags": ["x_refsource_MISC"], "url": "https://github.com/Combodo/iTop/commit/082d865efaf8a349b60fe3875e9c726c24f8a8bd"}, {"name": "https://github.com/Combodo/iTop/commit/37fc1a572380f2faa67fddea5b1a3a4ba72ed54e", "tags": ["x_refsource_MISC"], "url": "https://github.com/Combodo/iTop/commit/37fc1a572380f2faa67fddea5b1a3a4ba72ed54e"}, {"name": "https://github.com/Combodo/iTop/commit/5780f26817c2303c5bdd0ad16e21d4d959780b0b", "tags": ["x_refsource_MISC"], "url": "https://github.com/Combodo/iTop/commit/5780f26817c2303c5bdd0ad16e21d4d959780b0b"}], "affected": [{"vendor": "Combodo", "product": "iTop", "versions": [{"version": "< 2.7.12", "status": "affected"}, {"version": ">= 3.0.0, < 3.1.3", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T17:15:42.151Z"}, "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1."}], "source": {"advisory": "GHSA-rhv2-wfrr-4j2j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-14T15:11:31.622151Z", "id": "CVE-2025-24022", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:37:55.868Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24022", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-14T15:11:31.622151Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T15:12:10.949Z"}}], "cna": {"title": "iTop server vulnerable to portal code injection", "source": {"advisory": "GHSA-rhv2-wfrr-4j2j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Combodo", "product": "iTop", "versions": [{"status": "affected", "version": "< 2.7.12"}, {"status": "affected", "version": ">= 3.0.0, < 3.1.3"}, {"status": "affected", "version": ">= 3.2.0, < 3.2.1"}]}], "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-rhv2-wfrr-4j2j", "name": "https://github.com/Combodo/iTop/security/advisories/GHSA-rhv2-wfrr-4j2j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Combodo/iTop/commit/082d865efaf8a349b60fe3875e9c726c24f8a8bd", "name": "https://github.com/Combodo/iTop/commit/082d865efaf8a349b60fe3875e9c726c24f8a8bd", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Combodo/iTop/commit/37fc1a572380f2faa67fddea5b1a3a4ba72ed54e", "name": "https://github.com/Combodo/iTop/commit/37fc1a572380f2faa67fddea5b1a3a4ba72ed54e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Combodo/iTop/commit/5780f26817c2303c5bdd0ad16e21d4d959780b0b", "name": "https://github.com/Combodo/iTop/commit/5780f26817c2303c5bdd0ad16e21d4d959780b0b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T17:15:42.151Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24022", "state": "PUBLISHED", "dateUpdated": "2026-01-20T15:37:55.868Z", "dateReserved": "2025-01-16T17:31:06.459Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-14T14:57:37.960Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC277226-1ABB-4593-B14C-4910541DA298", "versionEndExcluding": "2.7.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C365D2D-CA46-4DA0-8739-7950631132E0", "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BE41CA6-35B8-41BA-B116-B63136CA48C9", "versionEndExcluding": "3.2.1", "versionStartIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1."}, {"lang": "es", "value": "iTop es una herramienta web de gesti\u00f3n de servicios de TI. En versiones anteriores a la 2.7.12, 3.1.3 y 3.2.1, la ejecuci\u00f3n de c\u00f3digo del servidor era posible a trav\u00e9s del frontend del portal de iTop. Este problema se solucion\u00f3 en las versiones 2.7.12, 3.1.3 y 3.2.1."}], "id": "CVE-2025-24022", "lastModified": "2026-01-16T18:16:06.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-14T15:15:56.293", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Combodo/iTop/commit/082d865efaf8a349b60fe3875e9c726c24f8a8bd"}, {"source": "security-advisories@github.com", "url": "https://github.com/Combodo/iTop/commit/37fc1a572380f2faa67fddea5b1a3a4ba72ed54e"}, {"source": "security-advisories@github.com", "url": "https://github.com/Combodo/iTop/commit/5780f26817c2303c5bdd0ad16e21d4d959780b0b"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-rhv2-wfrr-4j2j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}