CVE-2025-48878 MEDIUM

CVE-2025-48878: Combodo iTop vulnerable to IDOR with ModuleInstallation object

Vendor Combodo

Product iTop

Weakness CWE-862 · Missing authorization

Published November 10, 2025

Last update November 10, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue.

Key dates

02Disclosure timeline

November 10, 2025 CVE published

November 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-48878 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2026-24541 WordPress Download After Email plugin <= 2.1.9 - Broken Access Control vulnerability CVE-2024-5820 Unprotected WebSocket in stitionai/devika CVE-2025-42913 Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application) CVE-2024-5703 Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.26 - Missing Authorization CVE-2024-37517 WordPress Spectra plugin <= 2.13.7 - Broken Access Control vulnerability