CVE-2025-48065 HIGH

CVE-2025-48065: Combodo iTop vulnerable to reflected XSS via objection edition form error

Vendor Combodo

Product iTop

Weakness CWE-79 · XSS

Published November 10, 2025

Last update November 10, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content.

Key dates

02Disclosure timeline

November 10, 2025 CVE published

November 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-48065 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2025-48065

CWE CWE-79

CVSS 8.8 / HIGH

Affected versions

Vendor Combodo

Product iTop

Affected < 2.7.13

Vendor Combodo

Product iTop

Affected >= 3.0.0-alpha, < 3.2.2

CVE-2025-48065: Combodo iTop vulnerable to reflected XSS via objection edition form error

01Description

02Disclosure timeline

03References

04Related CVE