fkie_cve-2023-48709
Vulnerability from fkie_nvd
Published
2024-04-15 18:15
Modified
2025-02-06 21:02
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0.
References
security-advisories@github.comhttps://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04aPatch
security-advisories@github.comhttps://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17cPatch
security-advisories@github.comhttps://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04aPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17cPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9Vendor Advisory
Impacted products
Vendor Product Version
combodo itop *
combodo itop *
combodo itop *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA0F67ED-5CDF-43B4-80A2-44BBB56A9624",
              "versionEndExcluding": "2.7.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F42542C8-DEF2-45E2-983B-B161F76C8FDA",
              "versionEndExcluding": "3.0.4",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E46BEA8B-6ECB-44B7-9509-99E2CBB569EC",
              "versionEndExcluding": "3.1.1",
              "versionStartIncluding": "3.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "iTop is an IT service management platform.  When exporting data from backoffice or portal in CSV or Excel files, users\u0027 inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0."
    },
    {
      "lang": "es",
      "value": "iTop es una plataforma de gesti\u00f3n de servicios de TI. Al exportar datos desde el backoffice o el portal en archivos CSV o Excel, las entradas de los usuarios pueden incluir f\u00f3rmulas maliciosas que pueden importarse a Excel. Como Excel 2016 **no** impide la ejecuci\u00f3n remota de c\u00f3digo de forma predeterminada, los usuarios desinformados pueden convertirse en v\u00edctimas. Esta vulnerabilidad se solucion\u00f3 en 2.7.9, 3.0.4, 3.1.1 y 3.2.0."
    }
  ],
  "id": "CVE-2023-48709",
  "lastModified": "2025-02-06T21:02:53.030",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-04-15T18:15:08.877",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        },
        {
          "lang": "en",
          "value": "CWE-1236"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1236"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.