CVE-2025-47286
- Source
- https://cve.org/CVERecord?id=CVE-2025-47286
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47286.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-47286
- Aliases
-
- GHSA-4w93-rw6g-5m9c
- Published
- 2025-11-10T18:38:40.283Z
- Modified
- 2025-12-05T10:17:37.198708Z
- Severity
-
- 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Combodo iTop vulnerable to Remote Code Execution in the backup creation functionality
- Details
-
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, an administrator can, by editing the configuration of the iTop instance, execute code on the server. Versions 2.7.13 and 3.2.2 escape and check the config parameter before executing a command based on it.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47286.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-74" ] }- References
Affected packages
Git / github.com/combodo/itop
Affected ranges
Affected versions
1.*
1.0.8
2.*
2.5.1
2.5.2
2.5.3
2.5.4
2.6.0
2.6.0-a
2.6.0-products
2.6.1
2.6.2
2.6.2-1
2.6.2-2
2.6.3
2.6.4
2.7.0
2.7.0-1
2.7.0-2
2.7.0-alpha1
2.7.0-beta
2.7.0-beta2
2.7.0-rc
2.7.0-rc2
2.7.1
2.7.10
2.7.11
2.7.12
2.7.13
2.7.2
2.7.2-1
2.7.3
2.7.3-1
2.7.3-2
2.7.4
2.7.5
2.7.5-1
2.7.5-2
2.7.6
2.7.7
2.7.8
2.7.9
Other
3
N1963
N2011
N2016
N941
N941-2
itop-carbon
3.*
3.0.0
3.0.0-alpha
3.0.0-beta
3.0.0-beta2
3.0.0-beta3
3.0.0-beta4
3.0.0-beta5
3.0.0-beta6
3.0.0-beta7
3.0.0-beta8
3.0.0-rc
3.0.1
3.0.1-designer-feature-lot1
3.0.1-designer-feature-lot2
3.0.2
3.0.2-1
3.0.2-rc1
3.0.3
3.0.3-1
3.0.3-designer-php8.0-compatibility
3.0.4
3.1.0
3.1.0-1
3.1.0-2
3.1.0-3
3.1.0-alpha1
3.1.0-beta
3.1.0-designer-2
3.1.1
3.1.1-1
3.1.1-2
3.1.2
3.1.3
3.2.0
3.2.0-alpha1
3.2.0-beta1
3.2.0-rc1
3.2.0-rc2
3.2.0-rc3
3.2.1
ITSM_Designer_3.*
ITSM_Designer_3.1-compatibility