CVE-2024-51993

Combodo iTop is a web based IT Service Management tool. An attacker accessing a backup file or the database can read some passwords for misconfigured Users. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. Users unable to upgrade are advised to encrypt their backups independently of the iTop application. ### Patches Sanitize parameter ### References N°7631 - Password is stored in clear in the database.

CVSS v3 3.4 LOW

3.4^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Combodo/iTop/security/advisories/GHSA-9mq5-349x-x427	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*

History

04 Apr 2025, 20:05

Type	Values Removed	Values Added
CPE		cpe:2.3:a:combodo:itop::::::::
First Time		Combodo Combodo itop
References	~~() https://github.com/Combodo/iTop/security/advisories/GHSA-9mq5-349x-x427 -~~	() https://github.com/Combodo/iTop/security/advisories/GHSA-9mq5-349x-x427 - Vendor Advisory

08 Nov 2024, 19:01

Type	Values Removed	Values Added
Summary		(es) Combodo iTop es una herramienta de gestión de servicios de TI basada en la web. Un atacante que acceda a un archivo de copia de seguridad o a la base de datos puede leer algunas contraseñas de usuarios mal configurados. Este problema se ha solucionado en la versión 3.2.0 y se recomienda a todos los usuarios que actualicen. Se recomienda a los usuarios que no puedan actualizar que encripten sus copias de seguridad independientemente de la aplicación iTop. ### Patches Sanitize parameter ### Referencias N°7631 - La contraseña se almacena sin cifrar en la base de datos.

07 Nov 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 18:15

Updated : 2025-04-04 20:05

NVD link : CVE-2024-51993

Mitre link : CVE-2024-51993

CVE.ORG link : CVE-2024-51993

JSON object : View

Products Affected

combodo

itop

CWE

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2024-51993", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 3.4, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 0.8}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.4, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 0.8}]}, "published": "2024-11-07T18:15:18.203", "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9mq5-349x-x427", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "Combodo iTop is a web based IT Service Management tool. An attacker accessing a backup file or the database can read some passwords for misconfigured Users. This issue has been addressed in version 3.2.0 and all users are advised to upgrade. Users unable to upgrade are advised to encrypt their backups independently of the iTop application.\n\n### Patches\nSanitize parameter\n\n### References\nN\u00b07631 - Password is stored in clear in the database."}, {"lang": "es", "value": "Combodo iTop es una herramienta de gesti\u00f3n de servicios de TI basada en la web. Un atacante que acceda a un archivo de copia de seguridad o a la base de datos puede leer algunas contrase\u00f1as de usuarios mal configurados. Este problema se ha solucionado en la versi\u00f3n 3.2.0 y se recomienda a todos los usuarios que actualicen. Se recomienda a los usuarios que no puedan actualizar que encripten sus copias de seguridad independientemente de la aplicaci\u00f3n iTop. ### Patches Sanitize parameter ### Referencias N\u00b07631 - La contrase\u00f1a se almacena sin cifrar en la base de datos."}], "lastModified": "2025-04-04T20:05:22.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A59157AC-6016-4FB6-A3BD-08EAB161CF96", "versionEndExcluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}