CVE-2021-32775 HIGH

CVE-2021-32775: Any user can see any fields (including mailbox password) with GroupBy Dashlet

Vendor Combodo
Product iTop
Weakness CWE-209 · Error message info leak
Published July 21, 2021
Last update August 3, 2024

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/field values through GroupBy Dashlet error message. This issue is fixed in versions 2.7.4 and 3.0.0.

Key dates

02Disclosure timeline

July 21, 2021 CVE published
August 3, 2024 Record updated