Bug 28144 - itop-itsm new security issue CVE-2020-15221
Summary: itop-itsm new security issue CVE-2020-15221
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2021-01-17 13:19 CET by Zombie Ryushu
Modified: 2021-03-27 21:53 CET (History)
2 users (show)

See Also:
Source RPM: itop-itsm-2.7.1-1.mga8.src.rpm
CVE: CVE-2020-15221
Status comment:


Attachments

Description Zombie Ryushu 2021-01-17 13:19:49 CET
Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0.
Zombie Ryushu 2021-01-17 13:20:16 CET

CVE: (none) => CVE-2020-15221

Comment 1 David Walser 2021-01-17 17:46:13 CET
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15221
https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw

Summary: itop-itsm security update CVE-2020-15221 => itop-itsm new security issue CVE-2020-15221
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 2.7.2
Assignee: bugsquad => bruno

Comment 2 Nicolas Lécureuil 2021-01-17 19:37:03 CET
version 2.7.3 Freeze push asked for cauldron.

CC: (none) => mageia

Comment 3 David Walser 2021-01-18 08:01:52 CET
itop-itsm-2.7.3-1.mga8 uploaded for Cauldron.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 4 Nicolas Lécureuil 2021-03-10 08:55:20 CET
new version pushed in mga7:

src:
    - itop-itsm-2.7.3-1.mga7

Status comment: Fixed upstream in 2.7.2 => (none)
Assignee: bruno => qa-bugs

Comment 5 David Walser 2021-03-10 18:24:33 CET
Advisory:
========================

Updated itop-itsm package fixes security vulnerability:

By modifying target browser local storage, an XSS can be generated in the iTop
console breadcrumb (CVE-2020-15221).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15221
https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw
========================

Updated packages in core/updates_testing:
========================
itop-itsm-2.7.3-1.mga7

from itop-itsm-2.7.3-1.mga7.src.rpm
Comment 6 Thomas Andrews 2021-03-27 21:46:07 CET
I looked for previous updates to this, and came up dry. Then checked online, finding several tutorials that only served to show to me that this is far too complex for a novice to test adequately. So, I was going to go for a clean install over the old rpm, BUT...

No issues with the original install. But when I went to update, I get this:

1 installation transactions failed

There was a problem during the installation:

file /usr/share/itop-itsm/data from install of itop-itsm-2.7.3-1.mga7.noarch conflicts with file from package itop-itsm-2.0.3-5.mga7.noarch

file /usr/share/itop-itsm/log from install of itop-itsm-2.7.3-1.mga7.noarch conflicts with file from package itop-itsm-2.0.3-5.mga7.noarch

So, it's back in your hands, Nicolas.

CC: (none) => andrewsfarm

David Walser 2021-03-27 21:53:24 CET

Keywords: (none) => feedback


Note You need to log in before you can comment on or make changes to this bug.