CVE-2025-49145

Published Nov 10, 2025

Last updated 4 months ago

CVSS high 8.7

Overview

Description
Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators) can drop the database. This is fixed in iTop 2.7.13 and 3.2.2 by verifying callback signature.
Source
security-advisories@github.com
NVD status
Analyzed
Products
itop

Risk scores

CVSS 3.1

Type
Primary
Base score
6.5
Impact score
5.2
Exploitability score
1.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Severity
MEDIUM

Weaknesses

security-advisories@github.com
CWE-863

Social media

Hype score
Not currently trending

  1. [CVE-2025-49145: HIGH] Critical security update for Combodo iTop! Versions below 2.7.13 and 3.2.2 allow admin users to drop the database via webhooks. Update to 2.7.13/3.2.2 to fix this vulnerability.#cve,CVE-2025-49145,#cybersecurity https://t.co/RJzmU3N9L5 https://t.co/olOZDttC

    @CveFindCom

    10 Nov 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-49145 pertains to a critical security flaw in specific versions of **Combodo iTop**, a widely used web-based IT service management platform. The flaw allows a user with sufficiently elevated privileges—specifically, users capable of creating webhooks (typically

    @CveTodo

    10 Nov 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-49145 Combodo iTop is a web based IT service management tool. In versions prior to 2.7.13 and 3.2.2, a user that has enough rights to create webhooks (mostly administrators… https://t.co/8hfyc91iPM

    @CVEnew

    10 Nov 2025

    253 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to a cross-site scripting attack (leading to JS execution) when editing the URL parameter. Versions 2.7.13 and 3.2.2 don't use export.php, which was deprecated. They use export-v2.php instead.CVE-2025-64167
  2. Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue.CVE-2025-48878
  3. iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue.CVE-2025-24969
  4. iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, 3.1.3 and 3.2.1.CVE-2025-24022
  5. iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, anyone with an account having portal access can set value to object fields when they're not supposed to. Versions 2.7.12, 3.1.3, and 3.2.1 contain a fix for the issue.CVE-2025-24021

References

Sources include official advisories and independent security research.