Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This fix is included in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. Users unable to upgrade may overload the dictionary entry `"UI:ResetPwd-Error-WrongLogin"` through an extension and replace it with a generic message.
History

Fri, 08 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-203

Tue, 05 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Combodo
Combodo itop
CPEs cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*
Vendors & Products Combodo
Combodo itop
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 05 Nov 2024 18:15:00 +0000

Type Values Removed Values Added
Description Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This fix is included in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. Users unable to upgrade may overload the dictionary entry `"UI:ResetPwd-Error-WrongLogin"` through an extension and replace it with a generic message.
Title Users enumeration allowed through Rest API in Combodo iTop
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-05T18:11:37.244Z

Updated: 2024-11-05T18:50:23.340Z

Reserved: 2024-10-31T14:12:45.789Z

Link: CVE-2024-51739

cve-icon Vulnrichment

Updated: 2024-11-05T18:44:34.653Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-05T18:15:16.547

Modified: 2024-11-08T15:56:18.753

Link: CVE-2024-51739

cve-icon Redhat

No data.