{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24021", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-16T17:31:06.459Z", "datePublished": "2025-05-14T14:48:42.694Z", "dateUpdated": "2025-05-14T15:13:02.288Z"}, "containers": {"cna": {"title": "iTop doesn't have mass assignment of fields in the portal form", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj"}], "affected": [{"vendor": "Combodo", "product": "iTop", "versions": [{"version": "< 2.7.12", "status": "affected"}, {"version": ">= 3.0.0, < 3.1.3", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-14T14:48:42.694Z"}, "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."}], "source": {"advisory": "GHSA-c8hm-h9gv-8jpj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-14T15:12:47.176574Z", "id": "CVE-2025-24021", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T15:13:02.288Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24021", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-14T15:12:47.176574Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T15:12:53.516Z"}}], "cna": {"title": "iTop doesn't have mass assignment of fields in the portal form", "source": {"advisory": "GHSA-c8hm-h9gv-8jpj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Combodo", "product": "iTop", "versions": [{"status": "affected", "version": "< 2.7.12"}, {"status": "affected", "version": ">= 3.0.0, < 3.1.3"}, {"status": "affected", "version": ">= 3.2.0, < 3.2.1"}]}], "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj", "name": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-14T14:48:42.694Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24021", "state": "PUBLISHED", "dateUpdated": "2025-05-14T15:13:02.288Z", "dateReserved": "2025-01-16T17:31:06.459Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-14T14:48:42.694Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue."}], "id": "CVE-2025-24021", "lastModified": "2025-05-14T15:15:56.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-14T15:15:56.157", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Combodo/iTop/security/advisories/GHSA-c8hm-h9gv-8jpj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}