SSRF through arbitrary PHP class instantiation in the user portal in Combodo iTop

Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf of the server, from a low privileged user. The user portal form manager has been fixed to only instantiate classes derived from it. This issue has been addressed in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

服务端请求伪造(SSRF)

Combodo iTop 代码问题漏洞

Combodo iTop是法国Combodo公司的一套基于ITIL开发且用于IT环境日常运营的开源Web应用程序。该程序提供事件管理、配置管理和问题管理等功能。 Combodo iTop 2.7.11之前版本、3.0.5之前版本、3.1.2之前版本和3.2.0之前版本存在代码问题漏洞，该漏洞源于可以从低权限用户代表服务器创建HTTP请求。

N/A

N/A