CVE-2018-10642

moderate-risk

Published 2018-05-02

Command injection vulnerability in Combodo iTop 2.4.1 allows remote authenticated administrators to execute arbitrary commands by changing the platform configuration, because web/env-production/itop-config/config.php contains a function called TestConfig() that calls the vulnerable function eval().

Do I need to act?

3.8% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (1)

Itop

Affected Vendors

Combodo

References (4)

Exploit https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt

Issue Tracking https://sourceforge.net/p/itop/tickets/1585/

Exploit https://github.com/arbahayoub/POC/blob/master/itop_command_injection_1.txt

Issue Tracking https://sourceforge.net/p/itop/tickets/1585/

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 7/34 · Low

Exposure 5/34 · Minimal