Vulnerability CVE-2025-47286: Information

Description

Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it.

Severity: HIGH (8.6)
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: HIGH (7.2)
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
URL: https://nvd.nist.gov/vuln/detail/CVE-2025-47286
Published: Nov. 10, 2025
Modified: Nov. 21, 2025
Error type identifier: CWE-74

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
itopsisyphus3.2.2-alt13.2.2-alt2ALT-PU-2025-10802-2393043Fixed
itopsisyphus_riscv643.2.2-alt13.2.2-alt2ALT-PU-2025-10834-1-Fixed
itopsisyphus_loongarch643.2.2-alt13.2.2-alt2ALT-PU-2025-10840-1-Fixed
itopc10f23.2.2-alt13.2.2-alt1ALT-PU-2025-14292-4399752Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/Combodo/iTop/security/advisories/GHSA-4w93-rw6g-5m9c
  • Vendor Advisory
BDU:2025-06926
  • BDU
    1. cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*
      End excluding
      2.7.13
      cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*
      Start including
      3.0.0
      End excluding
      3.2.2
VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
Version: v26.6.1
Back to top