CVE-2021-41161 CRITICAL

CVE-2021-41161: XSS in csvimport in 3.0.0-beta versions

Vendor Combodo
Product iTop
Weakness CWE-79 · XSS
Published April 21, 2022
Last update April 23, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

April 21, 2022 CVE published
April 23, 2025 Record updated