CVE-2021-41162 CRITICAL

CVE-2021-41162: Cross-site Scripting in Combodo iTop

Vendor Combodo
Product iTop
Weakness CWE-79 · XSS
Published April 21, 2022
Last update April 23, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

April 21, 2022 CVE published
April 23, 2025 Record updated