CVE-2020-12779 - OpenCVE

Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Combodo	Itop

Configuration 1 [-]

OR	cpe:2.3:a:combodo:itop:::::-:::*
	cpe:2.3:a:combodo:itop:2.7.0:beta::::::

References

Link	Resource
https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: twcert

Published: 2020-08-10T00:00:00

Updated: 2020-09-25T16:03:55

Reserved: 2020-05-11T00:00:00

Link: CVE-2020-12779

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-08-10T03:15:12.717

Modified: 2020-10-28T17:24:40.187

Link: CVE-2020-12779

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "iTop", "vendor": "Combodo", "versions": [{"lessThanOrEqual": "2.7.0-beta2", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2020-08-10T00:00:00", "descriptions": [{"lang": "en", "value": "Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Stored XSS", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-09-25T16:03:55", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247"}], "solutions": [{"lang": "en", "value": "Update to version 2.7.1"}], "source": {"discovery": "UNKNOWN"}, "title": "Combodo iTop - Stored XSS", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2020-08-10T03:00:00.000Z", "ID": "CVE-2020-12779", "STATE": "PUBLIC", "TITLE": "Combodo iTop - Stored XSS"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "iTop", "version": {"version_data": [{"version_affected": "<=", "version_name": "0", "version_value": "2.7.0-beta2"}]}}]}, "vendor_name": "Combodo"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Stored XSS"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html"}, {"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247", "refsource": "MISC", "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247"}]}, "solution": [{"lang": "en", "value": "Update to version 2.7.1"}], "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2020-12779", "datePublished": "2020-08-10T00:00:00", "dateReserved": "2020-05-11T00:00:00", "dateUpdated": "2020-09-25T16:03:55", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:-:*:*:*", "matchCriteriaId": "E1C17A72-0782-4697-82F8-868FE5A80BAA", "versionEndExcluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:combodo:itop:2.7.0:beta:*:*:*:*:*:*", "matchCriteriaId": "45FEF8BA-8ABC-44B6-B3DA-F26F4AE86AEB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script."}, {"lang": "es", "value": "Combodo iTop contiene una vulnerabilidad de tipo Cross-site Scripting almacenado, que puede ser atacada mediante la carga de un archivo con un script malicioso"}], "id": "CVE-2020-12779", "lastModified": "2020-10-28T17:24:40.187", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2020-08-10T03:15:12.717", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-qqrf-j8qv-g247"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-3835-e8e8f-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}