CVE-2023-45808

iTop missing silo check on extkey in console and portal

Description

iTop is an IT service management platform. When creating or updating an object, extkey values aren't checked to be in the current user silo. In other words, by forging an http request, the user can create objects pointing to out of silo objects (for example a UserRequest in an out of scope Organization). Fixed in iTop 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

Category

4.1
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.08%
Vendor Advisory github.com
Affected: Combodo iTop
Published at:
Updated at:

References

Link Tags
https://github.com/Combodo/iTop/security/advisories/GHSA-245j-66p9-pwmh vendor advisory
https://github.com/Combodo/iTop/commit/5a434486443a2cf8b8a288475aada54d0a068ca7 patch
https://github.com/Combodo/iTop/commit/8f61c02cbe17badff87bff9b8ada85e783c47385 patch

Frequently Asked Questions

What is the severity of CVE-2023-45808?
CVE-2023-45808 has been scored as a medium severity vulnerability.
How to fix CVE-2023-45808?
To fix CVE-2023-45808, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-45808 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-45808 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-45808?
CVE-2023-45808 affects Combodo iTop.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.