Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This fix is included in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. Users unable to upgrade may overload the dictionary entry `"UI:ResetPwd-Error-WrongLogin"` through an extension and replace it with a generic message.
Metrics
Affected Vendors & Products
References
History
Fri, 08 Nov 2024 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-203 |
Tue, 05 Nov 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Combodo
Combodo itop |
|
CPEs | cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:* | |
Vendors & Products |
Combodo
Combodo itop |
|
Metrics |
ssvc
|
Tue, 05 Nov 2024 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This fix is included in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. Users unable to upgrade may overload the dictionary entry `"UI:ResetPwd-Error-WrongLogin"` through an extension and replace it with a generic message. | |
Title | Users enumeration allowed through Rest API in Combodo iTop | |
Weaknesses | CWE-200 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-11-05T18:11:37.244Z
Updated: 2024-11-05T18:50:23.340Z
Reserved: 2024-10-31T14:12:45.789Z
Link: CVE-2024-51739
Vulnrichment
Updated: 2024-11-05T18:44:34.653Z
NVD
Status : Analyzed
Published: 2024-11-05T18:15:16.547
Modified: 2024-11-08T15:56:18.753
Link: CVE-2024-51739
Redhat
No data.