CVE-2023-38511 - Vulnerability Details - OpenCVE

iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00623.

Key SSVC decision points have not yet been added.

Vendors	Products
Combodo	Itop

Configuration 1 [-]

OR	cpe:2.3:a:combodo:itop::::::::
	cpe:2.3:a:combodo:itop::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-42311	iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7
https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab
https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm
https://www.synacktiv.com/advisories/file-read-in-itop

History

Thu, 06 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Combodo Combodo itop
CPEs		cpe:2.3:a:combodo:itop::::::::
Vendors & Products		Combodo Combodo itop

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-15T17:06:35.666Z

Updated: 2024-08-02T17:46:56.635Z

Reserved: 2023-07-18T16:28:12.078Z

Link: CVE-2023-38511

Vulnrichment

Updated: 2024-08-02T17:46:56.635Z

NVD

Status : Analyzed

Published: 2024-04-15T17:15:06.893

Modified: 2025-02-06T20:55:41.760

Link: CVE-2023-38511

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-38511", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-18T16:28:12.078Z", "datePublished": "2024-04-15T17:06:35.666Z", "dateUpdated": "2024-08-02T17:46:56.635Z"}, "containers": {"cna": {"title": "iTop Dashboard editor vulnerable dashboard config file parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm"}, {"name": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7", "tags": ["x_refsource_MISC"], "url": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7"}, {"name": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab", "tags": ["x_refsource_MISC"], "url": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab"}, {"name": "https://www.synacktiv.com/advisories/file-read-in-itop", "tags": ["x_refsource_MISC"], "url": "https://www.synacktiv.com/advisories/file-read-in-itop"}], "affected": [{"vendor": "Combodo", "product": "iTop", "versions": [{"version": ">= 3.0.0, < 3.0.4", "status": "affected"}, {"version": ">= 3.1.0, < 3.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-15T17:08:27.830Z"}, "descriptions": [{"lang": "en", "value": "iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.\n"}], "source": {"advisory": "GHSA-323r-chx5-m9gm", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-38511", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-17T20:37:20.591801Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:28:15.955Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:56.635Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm"}, {"name": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7"}, {"name": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab"}, {"name": "https://www.synacktiv.com/advisories/file-read-in-itop", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.synacktiv.com/advisories/file-read-in-itop"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm", "name": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7", "name": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab", "name": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.synacktiv.com/advisories/file-read-in-itop", "name": "https://www.synacktiv.com/advisories/file-read-in-itop", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:56.635Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-38511", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-17T20:37:20.591801Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:23.843Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "iTop Dashboard editor vulnerable dashboard config file parameter", "source": {"advisory": "GHSA-323r-chx5-m9gm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Combodo", "product": "iTop", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.0.4"}, {"status": "affected", "version": ">= 3.1.0, < 3.1.1"}]}], "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm", "name": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7", "name": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab", "name": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab", "tags": ["x_refsource_MISC"]}, {"url": "https://www.synacktiv.com/advisories/file-read-in-itop", "name": "https://www.synacktiv.com/advisories/file-read-in-itop", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-15T17:08:27.830Z"}}}, "cveMetadata": {"cveId": "CVE-2023-38511", "state": "PUBLISHED", "dateUpdated": "2024-08-02T17:46:56.635Z", "dateReserved": "2023-07-18T16:28:12.078Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-15T17:06:35.666Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "matchCriteriaId": "F42542C8-DEF2-45E2-983B-B161F76C8FDA", "versionEndExcluding": "3.0.4", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "matchCriteriaId": "E46BEA8B-6ECB-44B7-9509-99E2CBB569EC", "versionEndExcluding": "3.1.1", "versionStartIncluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.\n"}, {"lang": "es", "value": "iTop es una plataforma de gesti\u00f3n de servicios de TI. Editor de panel: puede cargar varios archivos y URL, y revelar la ruta completa en el archivo de configuraci\u00f3n del panel. Esta vulnerabilidad se solucion\u00f3 en 3.0.4 y 3.1.1."}], "id": "CVE-2023-38511", "lastModified": "2025-02-06T20:55:41.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-15T17:15:06.893", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.synacktiv.com/advisories/file-read-in-itop"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/Combodo/iTop/commit/343e87a8d4fc8253fd81aeaf0dcc424b9dc4eda7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/Combodo/iTop/commit/89145593ef2e077529a6f7ee7cde712db637e1ab"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-323r-chx5-m9gm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.synacktiv.com/advisories/file-read-in-itop"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}