CSRF tokens generated by privUITransactionFile aren't properly checked.
Use the session implementation by adding in the iTop config file :
'transaction_storage' => 'Session',
Fixed in 2.7.6, 3.0.0
Combodo ref N°4289
@amammad / Huntr
huntr: Cross-Site Request Forgery (CSRF) PHP Vulnerability in itop
If you have any questions or comments about this advisory: Email us at itop-security@combodo.com
Impact
CSRF tokens generated by privUITransactionFile aren't properly checked.
Workaround
Use the session implementation by adding in the iTop config file :
Patches
Fixed in 2.7.6, 3.0.0
References
Combodo ref N°4289
Credits
@amammad / Huntr
For more information
huntr: Cross-Site Request Forgery (CSRF) PHP Vulnerability in itop
If you have any questions or comments about this advisory:
Email us at itop-security@combodo.com