Vulnerability CVE-2023-48709: Information

Description

iTop is an IT service management platform. When exporting data from backoffice or portal in CSV or Excel files, users' inputs may include malicious formulas that may be imported into Excel. As Excel 2016 does **not** prevent Remote Code Execution by default, uninformed users may become victims. This vulnerability is fixed in 2.7.9, 3.0.4, 3.1.1, and 3.2.0.

Severity: HIGH (8.0)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
URL: https://nvd.nist.gov/vuln/detail/CVE-2023-48709
Published: April 15, 2024
Modified: Feb. 6, 2025
Error type identifier: CWE-1236

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
itopsisyphus3.2.0.2-alt13.2.2-alt2ALT-PU-2025-1468-2369847Fixed
itopsisyphus_e2k3.1.1.1-alt13.1.1.1-alt1ALT-PU-2024-1071-1-Fixed
itopsisyphus_riscv643.2.0.2-alt13.2.2-alt2ALT-PU-2025-1528-1-Fixed
itopsisyphus_loongarch643.1.1.1-alt13.2.2-alt2ALT-PU-2024-1042-1-Fixed
itopp103.1.1.1-alt13.1.1.1-alt1ALT-PU-2024-4537-3343613Fixed
itopp10_e2k3.1.1.1-alt13.1.1.1-alt1ALT-PU-2024-4805-1-Fixed
itopc10f23.1.1.1-alt13.2.2-alt1ALT-PU-2024-4549-3343622Fixed
itopc9f23.1.1.1-alt13.2.0.2-alt0.c9f2.1ALT-PU-2024-4547-3343621Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/Combodo/iTop/commit/083a0b79bfa2c106735b5c10eddb35a05ec7f04a
  • Patch
https://github.com/Combodo/iTop/commit/b10bcb976dfe8e55aa0f659bfbcdd18334a1b17c
  • Patch
https://github.com/Combodo/iTop/security/advisories/GHSA-9q3x-9987-53x9
  • Vendor Advisory
    1. cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*
      End excluding
      2.7.9
      cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*
      Start including
      3.0.0
      End excluding
      3.0.4
      cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*
      Start including
      3.1.0
      End excluding
      3.1.1
VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
Version: v26.2.2
Back to top