Users enumeration allowed through Rest API in Combodo iTop

Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it easier to bruteforce a valid account. As a fix the sentence displayed after resetting password no longer shows if the user exists or not. This fix is included in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. Users unable to upgrade may overload the dictionary entry `"UI:ResetPwd-Error-WrongLogin"` through an extension and replace it with a generic message.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

信息暴露

Combodo iTop 信息泄露漏洞

Combodo iTop是法国Combodo公司的一套基于ITIL开发且用于IT环境日常运营的开源Web应用程序。该程序提供事件管理、配置管理和问题管理等功能。 Combodo iTop 2.7.11之前版本、3.0.5之前版本、3.1.2之前版本和3.2.0之前版本存在信息泄露漏洞，该漏洞源于未经身份验证的用户可以执行用户枚举，以便暴力破解有效帐户。

N/A

N/A