CVE-2022-39214 CRITICAL

CVE-2022-39214: Authenticated users of Combodo iTop can take over any account

Vendor Combodo

Product iTop

Weakness CWE-863 · Incorrect authorization

Published March 14, 2023

Last update February 25, 2025

View on NVD All CVEs

CVSS base score

9.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, a user who can log in on iTop is able to take over any account just by knowing the account's username. This issue is fixed in versions 2.7.8 and 3.0.2-1.

Key dates

02Disclosure timeline

March 14, 2023 CVE published

February 25, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-39214

Related vulnerabilities

Identifiers

CVE CVE-2022-39214

CWE CWE-863

CVSS 9.6 / CRITICAL

Affected versions

Vendor Combodo

Product iTop

Affected < 2.7.8

Vendor Combodo

Product iTop

Affected >= 3.0.0, < 3.0.2-1

CVE-2022-39214: Authenticated users of Combodo iTop can take over any account

01Description

02Disclosure timeline

03References

04Related CVE