🔍 **CWE-918**: Insecure Direct Object Reference. The app exposes internal object references (like ModuleInstallation) without proper authorization checks. 🛑 Flaw: No validation of user permissions before object creation.
Q3影响谁?(版本/组件)
⚠️ **Affected**: Combodo iTop versions **before 3.2.2**. 📦 Component: Web application core handling module installations. 🌐 All deployments using vulnerable versions are at risk.
Q4黑客能干啥?(权限/数据)
🔓 Hackers with **low privileges** (PR:L) can create `ModuleInstallation` objects. 🧩 No direct data theft (C:N), but can **alter application behavior** (I:L) — e.g., inject malicious modules or bypass controls.
Q5利用门槛高吗?(认证/配置)
📉 **Low exploitation threshold**. 🧑💻 Requires only low privileges (PR:L). No user interaction needed (UI:N). Exploitable remotely (AV:N). 🎯 Easy to automate.
Q6有现成Exp吗?(PoC/在野利用)
❌ **No public PoC** listed. 📌 References only point to official advisory (GHSA-rj75-7cgw-4556). 🚫 No evidence of wild exploitation reported.
Q7怎么自查?(特征/扫描)
🔍 **Self-check**: Audit for `ModuleInstallation` creation endpoints. 🧪 Use tools like Burp Suite to test if low-privilege users can create modules. 📊 Check logs for unexpected module installs.
Q8官方修了吗?(补丁/缓解)
✅ **Officially fixed in v3.2.2**. 🛡️ Patch includes access control enforcement for ModuleInstallation. 📦 Upgrade to 3.2.2 or later to resolve.
Q9没补丁咋办?(临时规避)
🛠️ **Workaround**: Disable module installation feature if not needed. 🔐 Implement custom access control via iTop extensions. 📋 Monitor for unauthorized module creation logs.
Q10急不急?(优先级建议)
⚠️ **Medium urgency**. CVSS 3.1: 5.3 (L:Low, I:Low, C:None). 🚨 Not critical, but **should be patched promptly** to prevent service disruption or privilege creep. 📅 Prioritize if module management is active.