Auth bypass in Combodo Itop
CVE-2025-49145
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verify…
Vulnerability class: Broken Access Control
EPSS: 0.003 (18.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.7 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H.
Affected products
- Combodo Itop — versions < 2.7.13, >= 3.0.0-alpha, < 3.2.2
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)
Frequently asked questions
- What is CVE-2025-49145?
- CVE-2025-49145 is a high-severity vulnerability in Combodo Itop, classified under Incorrect Authorization. CVSS score: 8.7/10. Published 2025-11-10.
- How severe is CVE-2025-49145?
- High severity. CVSS v3 base score is 8.7 out of 10.