Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64167

CVE-2025-64167: Combodo iTop XSS Vulnerability

CVE-2025-64167 is a cross-site scripting flaw in Combodo iTop that enables JavaScript execution via URL parameter manipulation. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-64167 Overview

Combodo iTop is a web-based IT service management (ITSM) tool used by enterprises for service desks, configuration management databases (CMDB), and incident tracking. CVE-2025-64167 is a reflected cross-site scripting (XSS) vulnerability [CWE-79] affecting the deprecated export.php endpoint. Attackers can inject JavaScript through the URL parameter when a user edits it, leading to code execution in the victim's browser session. The flaw affects iTop versions prior to 2.7.13 and 3.2.2. Fixed versions remove reliance on export.php and use export-v2.php instead.

Critical Impact

An authenticated or lured user visiting a crafted iTop URL can trigger JavaScript execution in the browser, enabling session theft, unauthorized actions within the ITSM platform, or pivoting to internal systems referenced in the CMDB.

Affected Products

  • Combodo iTop versions prior to 2.7.13
  • Combodo iTop 3.x versions prior to 3.2.2
  • Deployments using the deprecated export.php endpoint

Discovery Timeline

  • 2025-11-10 - CVE-2025-64167 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64167

Vulnerability Analysis

The vulnerability resides in the legacy export.php script shipped with Combodo iTop. The script accepts a URL parameter without proper output encoding or input sanitization. When a user edits the parameter, attacker-controlled content is reflected into the rendered page, allowing arbitrary JavaScript execution in the context of the iTop application.

iTop stores privileged operational data including asset inventories, credentials for managed systems, and change tickets. An XSS payload executing in an administrator's session can exfiltrate authentication cookies, submit forged requests to the iTop API, or manipulate configuration items. Because the scope changes to include other components (browser context, session tokens), impact extends beyond the vulnerable script itself.

Root Cause

The root cause is improper neutralization of user-supplied input in the export.php handler. The script did not escape or validate the URL parameter before including it in the HTML response. Combodo addressed the issue by deprecating export.php entirely and routing export functionality through the hardened export-v2.php endpoint in versions 2.7.13 and 3.2.2.

Attack Vector

Exploitation requires user interaction. An attacker crafts a malicious link targeting the export.php endpoint with a JavaScript payload embedded in the URL parameter. The attacker delivers the link through phishing, chat, or an embedded reference in an iTop ticket. When the victim clicks the link and edits or submits the URL parameter, the payload executes in the browser under the iTop origin.

The vulnerability manifests in the parameter reflection logic of export.php. Refer to the GitHub Security Advisory GHSA-pr7w-2cr9-5h38 for vendor technical details.

Detection Methods for CVE-2025-64167

Indicators of Compromise

  • HTTP requests to /pages/export.php containing URL-encoded <script>, javascript:, or onerror= fragments in query parameters
  • Web server access logs showing external referrers linking directly to export.php with long or obfuscated parameter values
  • Unexpected outbound requests from browsers of iTop administrators shortly after clicking iTop links
  • Session activity from iTop accounts originating from new IP addresses immediately after a user clicked an external link

Detection Strategies

  • Inspect web application firewall (WAF) and reverse proxy logs for XSS payload signatures targeting the export.php path
  • Correlate iTop application logs with browser telemetry to identify anomalous script execution following URL parameter edits
  • Alert on any continued use of export.php after upgrading, since patched versions rely on export-v2.php

Monitoring Recommendations

  • Enable Content Security Policy (CSP) reporting to capture inline script violations from the iTop origin
  • Monitor authenticated iTop sessions for API calls executed without corresponding UI interaction, indicating scripted abuse
  • Track user-agent and IP consistency for privileged iTop accounts to detect session hijacking following XSS exploitation

How to Mitigate CVE-2025-64167

Immediate Actions Required

  • Upgrade Combodo iTop to version 2.7.13 (2.7.x branch) or 3.2.2 (3.x branch) or later
  • Block or remove the deprecated export.php endpoint at the web server or reverse proxy layer
  • Rotate iTop session cookies and administrative credentials if suspicious export.php traffic is observed
  • Notify iTop users to avoid clicking external links referencing iTop endpoints until the patch is applied

Patch Information

Combodo released fixed versions 2.7.13 and 3.2.2 that eliminate the vulnerable export.php code path and route export functionality through export-v2.php. Refer to the Combodo iTop Security Advisory GHSA-pr7w-2cr9-5h38 for upgrade guidance and release notes.

Workarounds

  • Restrict access to export.php using web server rewrite rules or an access control list until upgrading is feasible
  • Deploy a WAF rule that blocks requests to export.php containing script tags, event handlers, or JavaScript URI schemes in query parameters
  • Enforce a strict Content Security Policy on the iTop application to limit inline script execution
bash
# Example nginx configuration to block the deprecated endpoint
location ~* /export\.php$ {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.