CVE-2025-47773 Overview
CVE-2025-47773 is a stored cross-site scripting (XSS) vulnerability in Combodo iTop, a web-based IT service management (ITSM) tool. The flaw affects iTop versions prior to 2.7.13 and 3.2.2. Attackers can inject malicious HTML or JavaScript when a dashboard is edited through an AJAX call because the rendered HTML content is not properly sanitized. Exploitation requires user interaction and can execute in the browser context of any user who views the tampered dashboard. The issue is tracked under CWE-79 and is addressed in the GitHub Security Advisory GHSA-9qmf-5457-9xp3.
Critical Impact
Authenticated attackers can persist malicious scripts inside iTop dashboards, hijacking sessions or executing actions on behalf of other users when they view the affected dashboard.
Affected Products
- Combodo iTop versions prior to 2.7.13
- Combodo iTop versions in the 3.x branch prior to 3.2.2
- Deployments exposing dashboard editing functionality to untrusted users
Discovery Timeline
- 2025-11-10 - CVE-2025-47773 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-47773
Vulnerability Analysis
Combodo iTop provides customizable dashboards that users can edit interactively through asynchronous JavaScript and XML (AJAX) requests. In vulnerable versions, the server does not sufficiently sanitize or encode HTML content supplied during dashboard edits before returning it for rendering. An attacker with permissions to edit a dashboard can embed active script payloads that execute when another user loads the dashboard.
The defect is a neutralization failure in output handling, categorized as CWE-79: Improper Neutralization of Input During Web Page Generation. Because dashboards are shared collaboration surfaces in ITSM workflows, injected payloads can reach administrators, support agents, and other privileged users.
Root Cause
The root cause is missing HTML sanitization of dashboard content rendered through the AJAX edit path. Prior versions trusted the payload returned from the edit endpoint and rendered it directly into the Document Object Model (DOM). Versions 2.7.13 and 3.2.2 add protection over the rendered HTML content to break active script execution.
Attack Vector
An attacker with a low-privileged authenticated account crafts a dashboard edit request containing an XSS payload in a field rendered as HTML. Upon saving, the payload is persisted server-side. When another iTop user opens or edits the dashboard, the payload executes in their browser under the iTop origin. This scope-changing behavior can lead to session token theft, forced actions via the iTop API, or defacement of ITSM records. Exploitation is network-based and requires user interaction to view the malicious dashboard.
No public proof-of-concept exploit is available at the time of writing, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Detection Methods for CVE-2025-47773
Indicators of Compromise
- Dashboard definitions containing <script>, onerror=, onload=, or javascript: payloads persisted in the iTop database.
- Unexpected AJAX POST requests to dashboard edit endpoints originating from low-privileged user accounts.
- Outbound HTTP requests from iTop user browsers to unfamiliar domains shortly after dashboard access.
Detection Strategies
- Review iTop application logs for dashboard edit operations correlated with users who do not normally curate dashboards.
- Inspect stored dashboard XML or JSON definitions for HTML tags and event-handler attributes outside expected widget markup.
- Deploy a Content Security Policy (CSP) in report-only mode to surface inline script executions triggered on dashboard pages.
Monitoring Recommendations
- Enable web application firewall (WAF) rules that flag script tags and event handlers in requests to iTop dashboard endpoints.
- Alert on anomalous session activity such as concurrent logins or API token creation immediately following dashboard views.
- Forward iTop web server and application logs to a centralized analytics platform for retrospective hunting on dashboard edit patterns.
How to Mitigate CVE-2025-47773
Immediate Actions Required
- Upgrade iTop to version 2.7.13 or 3.2.2 or later, which sanitize rendered dashboard HTML.
- Audit existing dashboards for unauthorized edits and remove any embedded HTML or scripts.
- Restrict dashboard editing permissions to trusted administrative roles until patching is complete.
Patch Information
Combodo published fixes in iTop 2.7.13 and 3.2.2. Details and remediation guidance are provided in the Combodo iTop GitHub Security Advisory GHSA-9qmf-5457-9xp3. Administrators should follow the standard iTop upgrade procedure and verify database integrity after the update.
Workarounds
- Temporarily disable or limit dashboard edit rights for non-administrative user profiles.
- Enforce a strict Content Security Policy that blocks inline scripts and untrusted script sources on iTop pages.
- Place iTop behind a WAF configured to inspect and neutralize XSS patterns in dashboard AJAX endpoints.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

