CVE-2021-32776 MEDIUM

CVE-2021-32776: No CSRF form token cleanup on Windows servers

Vendor Combodo
Product iTop
Weakness CWE-352 · CSRF
Published July 21, 2021
Last update August 3, 2024
View on NVD All CVEs

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, CSRF tokens can be reused by a malicious user, as on Windows servers no cleanup is done on CSRF tokens. This issue is fixed in versions 2.7.4 and 3.0.0.

Key dates

02Disclosure timeline

July 21, 2021 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-40864 JupyterHub: Cross-origin form POSTs bypass XSRF CVE-2025-25121 WordPress Theme Options Z Plugin <= 1.4 - Cross Site Request Forgery (CSRF) vulnerability CVE-2023-49853 WordPress PayTR Taksit Tablosu Plugin <= 1.3.1 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2024-32082 WordPress Sync Post With Other Site plugin <= 1.9.1 - Cross Site Request Forgery (CSRF) to XSS vulnerability CVE-2022-1792 Quick Subscribe <= 1.7.1 - Arbitrary Settings Update via CSRF to Stored XSS