CVE-2025-24021 MEDIUM

CVE-2025-24021: iTop doesn't have mass assignment of fields in the portal form

Vendor Combodo

Product iTop

Weakness CWE-862 · Missing authorization

Published May 14, 2025

Last update August 26, 2025

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.

Key dates

02Disclosure timeline

May 14, 2025 CVE published

August 26, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-24021 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-62019 WordPress Recipe Card Blocks for Gutenberg & Elementor plugin <= 3.4.8 - Broken Access Control vulnerability CVE-2025-13717 Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter CVE-2025-12091 Search, Filters & Merchandising for WooCommerce <= 3.0.67 - Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation CVE-2024-50456 WordPress SEOPress plugin <= 8.1.1 - Broken Access Control vulnerability CVE-2026-3614 AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Identifiers

CVE CVE-2025-24021

CWE CWE-862

CVSS 5.0 / MEDIUM

Affected versions

Vendor Combodo

Product iTop

Affected < 2.7.12

Vendor Combodo

Product iTop

Affected >= 3.0.0, < 3.1.3

Vendor Combodo

Product iTop

Affected >= 3.2.0, < 3.2.1