{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24021", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-16T17:31:06.459Z", "datePublished": "2025-05-14T14:48:42.694Z", "dateUpdated": "2025-08-26T13:44:18.910Z"}, "containers": {"cna": {"title": "iTop doesn't have mass assignment of fields in the portal form", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj"}, {"name": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b", "tags": ["x_refsource_MISC"], "url": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b"}], "affected": [{"vendor": "Combodo", "product": "iTop", "versions": [{"version": "< 2.7.12", "status": "affected"}, {"version": ">= 3.0.0, < 3.1.3", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-22T20:45:11.090Z"}, "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."}], "source": {"advisory": "GHSA-c8hm-h9gv-8jpj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-14T15:12:47.176574Z", "id": "CVE-2025-24021", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-26T13:44:18.910Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24021", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-14T15:12:47.176574Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T15:12:53.516Z"}}], "cna": {"title": "iTop doesn't have mass assignment of fields in the portal form", "source": {"advisory": "GHSA-c8hm-h9gv-8jpj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Combodo", "product": "iTop", "versions": [{"status": "affected", "version": "< 2.7.12"}, {"status": "affected", "version": ">= 3.0.0, < 3.1.3"}, {"status": "affected", "version": ">= 3.2.0, < 3.2.1"}]}], "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj", "name": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b", "name": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-22T20:45:11.090Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24021", "state": "PUBLISHED", "dateUpdated": "2025-08-26T13:44:18.910Z", "dateReserved": "2025-01-16T17:31:06.459Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-14T14:48:42.694Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC277226-1ABB-4593-B14C-4910541DA298", "versionEndExcluding": "2.7.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C365D2D-CA46-4DA0-8739-7950631132E0", "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BE41CA6-35B8-41BA-B116-B63136CA48C9", "versionEndExcluding": "3.2.1", "versionStartIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."}, {"lang": "es", "value": "iTop es una herramienta web de gesti\u00f3n de servicios de TI. En versiones anteriores a las 2.7.12, 3.1.3 y 3.2.1, cualquier persona con una cuenta y acceso al portal pod\u00eda asignar valores a campos de objeto cuando no deb\u00eda. Las versiones 2.7.12, 3.1.3 y 3.2.1 incluyen una soluci\u00f3n para este problema."}], "id": "CVE-2025-24021", "lastModified": "2025-08-22T21:15:30.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-14T15:15:56.157", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Combodo/iTop/commit/44290db312901fc5918cc537c74561487fb3713b"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-07-12T15:26:16.601115+00:00", "updated": "2025-07-12T15:26:16.601169+00:00", "vendors": ["combodo", "combodo$PRODUCT$itop"]}