CVE-2025-64167 HIGH

CVE-2025-64167: Combodo iTop vulnerable to reflected XSS in webservices/export.php

Vendor Combodo
Product iTop
Weakness CWE-79 · XSS
Published November 10, 2025
Last update November 10, 2025
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead.

Key dates

02Disclosure timeline

November 10, 2025 CVE published
November 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-3125 Zebra ZTC GK420d Alert Setup Page settings cross site scripting CVE-2022-2410 mTouch Quiz <= 3.1.3 - Admin+ Stored Cross Site Scripting CVE-2025-60112 WordPress aThemes Addons for Elementor Plugin <= 1.1.2 - Cross Site Scripting (XSS) Vulnerability CVE-2026-24558 WordPress ABG Rich Pins plugin <= 1.1 - Cross Site Scripting (XSS) vulnerability CVE-2024-32950 WordPress WP Media Category Management plugin <= 2.2 - Cross Site Scripting (XSS) vulnerability