Combodo

By the Year

In 2026 there have been 0 vulnerabilities in Combodo. Last year, in 2025 Combodo had 16 security vulnerabilities published. Right now, Combodo is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Combodo Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-64167	Nov 10, 2025	Combodo iTop XSS via export.php (pre-2.7.13 & pre-3.2.2) Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead.	Itop
CVE-2025-49145	Nov 10, 2025	Combodo iTop <2.7.13/3.2.2: Webhook Enables DB Drop Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature.	Itop
CVE-2025-48878	Nov 10, 2025	iTop 3.x IDOR: ModuleInstallation creation allowed fixed in 3.2.2 Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue.	Itop
CVE-2025-48065	Nov 10, 2025	CVE-2025-48065 Combodo iTop 2.x/3.x XSS in error msg before 2.7.13/3.2.2 Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a field with an error contains malicious content. Versions 2.7.13 and 3.2.2 protect rendered HTML content.	Itop
CVE-2025-48055	Nov 10, 2025	Combodo iTop 3.2.x XSS in User Portal Browse Brick Combodo iTop is a web based IT service management tool. In versions prior to 3.2.2, when displaying content in a browse brick in the user portal, a cross-site scripting attack can occur. This is fixed in versions 3.2.2 and 3.3.0.	Itop
CVE-2025-47932	Nov 10, 2025	XSS in Combodo iTop <2.7.13, <3.2.2 via AJAX Dashboard Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is rendered via an AJAX call. Versions 2.7.13 and 3.2.2 sanitize the var responsible for the attack.	Itop
CVE-2025-47773	Nov 10, 2025	Combodo iTop XSS via AJAX Dashboard Edit (<2.7.13, <3.2.2) Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is edited via an AJAX call. Versions 2.7.13 and 3.2.2 protect rendered HTML content.	Itop
CVE-2025-47286	Nov 10, 2025	Code Exec via Config in Combodo iTop <2.7.13/3.2.2 Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it.	Itop
CVE-2025-24969	May 14, 2025	iTop <3.2.1: URL Picture ID Disclosure iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue.	Itop
CVE-2025-24785	May 14, 2025	iTop 3.2.0 Dashboard PHP Error Crash via Malformed layout_class iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The next user trying to load this dashboard would encounter a crashed start page. Version 3.2.1 fixes the issue by checking the provided layout_class before saving the dashboard.	Itop