CVE-2023-44396— iTop vulnerable to XSS in dashlet modifications ajax endpoints
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-44396
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
iTop vulnerable to XSS in dashlet modifications ajax endpoints
Source: NVD (National Vulnerability Database)
Vulnerability Description
iTop is an IT service management platform. Dashlet edits ajax endpoints can be used to produce XSS. Fixed in iTop 2.7.10, 3.0.4, and 3.1.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
iTop 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
iTop是一个提供优化 iTop 所需的所有资源的平台。 iTop 2.7.10, 3.0.4 和 3.1.1 版本存在安全漏洞,该漏洞源于Dashlet 编辑的 ajax 端点可用于产生跨站脚本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2023-44396
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-44396
请登录查看更多情报信息。
- https://github.com/Combodo/iTop/security/advisories/GHSA-gqqj-jgh6-3x35x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2023-44396
Same Patch Batch · Combodo · 2024-04-15 · 9 CVEs total
| CVE-2023-48710 | 9.8 CRITICAL | iTop limit pages/exec.php script to PHP files |
| CVE-2023-47622 | 8.8 HIGH | iTop vulnerable to XSS vulnerability in dashlet refresh |
| CVE-2023-47626 | 8.8 HIGH | iTop vulnerable to XSS vulnerability in authent-token |
| CVE-2023-47123 | 8.7 HIGH | iTop vulnerable to XSS vulnerability in n:n relations "tagset" widget |
| CVE-2023-48709 | 8.0 HIGH | iTop vulnerable to potential formula injection in Excel/CSV export file |
| CVE-2023-43790 | 5.7 MEDIUM | iTop vulnerable to XSS in friendlyname in object details |
| CVE-2023-38511 | 5.0 MEDIUM | iTop Dashboard editor vulnerable dashboard config file parameter |
| CVE-2023-45808 | 4.1 MEDIUM | iTop missing silo check on extkey in console and portal |
IV. Related Vulnerabilities
Same product: iTop
- CVE-2025-64167
Combodo iTop vulnerable to reflected XSS in webservices/expo - CVE-2025-49145
iTop admin can drop iTop database using webhooks - CVE-2025-48878
Combodo iTop vulnerable to IDOR with ModuleInstallation obje - CVE-2025-48065
Combodo iTop vulnerable to reflected XSS via objection editi - CVE-2025-48055
Combodo iTop has stored XSS in user portal's browse brick
Same vendor: Combodo
- CVE-2025-64167
Combodo iTop vulnerable to reflected XSS in webservices/expo - CVE-2025-49145
iTop admin can drop iTop database using webhooks - CVE-2025-48878
Combodo iTop vulnerable to IDOR with ModuleInstallation obje - CVE-2025-48065
Combodo iTop vulnerable to reflected XSS via objection editi - CVE-2025-48055
Combodo iTop has stored XSS in user portal's browse brick
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2023-44396
No comments yet