CVE-2025-64167

Source
https://cve.org/CVERecord?id=CVE-2025-64167
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64167.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-64167
Aliases
  • GHSA-pr7w-2cr9-5h38
Published
2025-11-10T21:15:11.632Z
Modified
2026-07-15T01:49:03.075338090Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Combodo iTop vulnerable to reflected XSS in webservices/export.php
Details

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64167.json",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/combodo/itop

Affected ranges

Type
GIT
Repo
https://github.com/combodo/itop
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.7.13"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.2.2"
        }
    ]
}

Affected versions

1.*
1.0.8
2.*
2.6.1
2.6.2
2.6.3
2.7.0-alpha1
2.7.0-beta
2.7.0-beta2
2.7.1
2.7.10
2.7.11
2.7.12
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
3.*
3.1.0-alpha1
3.2.0-alpha1
3.2.0-rc1
3.2.0-rc2
3.2.0-rc3
3.2.1
ITSM_Designer_3.*
ITSM_Designer_3.1-compatibility
Other
N1963
N2011
N2016
N941
N941-2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64167.json"