This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Insecure Direct Object Reference (IDOR)** in Combodo iTop. Allows unauthorized creation of `ModuleInstallation` objects.β¦
π **CWE-918**: Insecure Direct Object Reference. The app exposes internal object references (like ModuleInstallation) without proper authorization checks. π Flaw: No validation of user permissions before object creation.
Q3Who is affected? (Versions/Components)
β οΈ **Affected**: Combodo iTop versions **before 3.2.2**. π¦ Component: Web application core handling module installations. π All deployments using vulnerable versions are at risk.
π **Low exploitation threshold**. π§βπ» Requires only low privileges (PR:L). No user interaction needed (UI:N). Exploitable remotely (AV:N). π― Easy to automate.
Q6Is there a public Exp? (PoC/Wild Exploitation)
β **No public PoC** listed. π References only point to official advisory (GHSA-rj75-7cgw-4556). π« No evidence of wild exploitation reported.
Q7How to self-check? (Features/Scanning)
π **Self-check**: Audit for `ModuleInstallation` creation endpoints. π§ͺ Use tools like Burp Suite to test if low-privilege users can create modules. π Check logs for unexpected module installs.
Q8Is it fixed officially? (Patch/Mitigation)
β **Officially fixed in v3.2.2**. π‘οΈ Patch includes access control enforcement for ModuleInstallation. π¦ Upgrade to 3.2.2 or later to resolve.
Q9What if no patch? (Workaround)
π οΈ **Workaround**: Disable module installation feature if not needed. π Implement custom access control via iTop extensions. π Monitor for unauthorized module creation logs.
Q10Is it urgent? (Priority Suggestion)
β οΈ **Medium urgency**. CVSS 3.1: 5.3 (L:Low, I:Low, C:None). π¨ Not critical, but **should be patched promptly** to prevent service disruption or privilege creep. π Prioritize if module management is active.