OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Combodo	Itop

Configuration 1 [-]

OR	cpe:2.3:a:combodo:itop:1.1.181:::::::*
	cpe:2.3:a:combodo:itop:1.2.0:rc282::::::

No data.

References

Link	Providers
http://www.securityfocus.com/archive/1/520632
http://www.securityfocus.com/archive/1/520632/100/0/threaded
http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2011-11-26T02:00:00

Updated: 2024-08-07T00:01:51.531Z

Reserved: 2011-11-03T00:00:00

Link: CVE-2011-4275

Vulnrichment

No data.

NVD

Status : Modified

Published: 2011-11-26T03:57:45.693

Modified: 2024-11-21T01:32:07.323

Link: CVE-2011-4275

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2011-11-16T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20111116 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/520632"}, {"name": "20111121 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/520632/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2011-4275", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20111116 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/520632"}, {"name": "20111121 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/520632/100/0/threaded"}, {"name": "http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt", "refsource": "MISC", "url": "http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T00:01:51.531Z"}, "title": "CVE Program Container", "references": [{"name": "20111116 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/520632"}, {"name": "20111121 TC-SA-2011-02: Multiple web-vulnerabilities in iTop version 1.1.181", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/520632/100/0/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2011-4275", "datePublished": "2011-11-26T02:00:00", "dateReserved": "2011-11-03T00:00:00", "dateUpdated": "2024-08-07T00:01:51.531Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:1.1.181:*:*:*:*:*:*:*", "matchCriteriaId": "9F9E3F71-8F14-4EC9-914D-B4E755D87D93", "vulnerable": true}, {"criteria": "cpe:2.3:a:combodo:itop:1.2.0:rc282:*:*:*:*:*:*", "matchCriteriaId": "405DE014-374E-409B-B028-B2D71DC23293", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php."}, {"lang": "es", "value": "M\u00faltiples Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en iTop (tambi\u00e9n conocido como IT Operations Portal) v1.1.181 y v1.2.0-RC-282 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de (1) un nombre de comp\u00f1\u00eda manipulado (2) un nombre de servidor de base de datos manipulada, (3) fichero CSV manipulado, (4) acci\u00f3n copiar-pegar manipulada, (5) el par\u00e1metro auth_user parameter en una acci\u00f3n suggest_pwd action sobre UI.php, (6) el par\u00e1metro c[menu] sobre universalSearch.php, (7) par\u00e1metro \"description\" en una acci\u00f3n searchFormToAdd_document_list sobre UI.php, (8) el par\u00e1metro \"category\" en una acci\u00f3n errors action sobre audit.php, o (9) par\u00e1metro suggest_pwd parameter sobre UI.php.\r\n"}], "id": "CVE-2011-4275", "lastModified": "2024-11-21T01:32:07.323", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2011-11-26T03:57:45.693", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/archive/1/520632"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/520632/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/archive/1/520632"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/520632/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.tele-consulting.com/advisories/TC-SA-2011-02.txt"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}