{"id":"CVE-2021-41245","details":"Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by `privUITransactionFile` aren't properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop config file.","modified":"2026-04-10T04:38:24.467396Z","published":"2022-04-05T15:15:08.013Z","related":["GHSA-33pr-5776-9jqf"],"references":[{"type":"ADVISORY","url":"https://github.com/Combodo/iTop/security/advisories/GHSA-33pr-5776-9jqf"},{"type":"FIX","url":"https://github.com/Combodo/iTop/commit/7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186"},{"type":"EVIDENCE","url":"https://huntr.dev/bounties/0a39630d-f4b9-4468-86d8-aea3b02f91ae"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/combodo/itop","events":[{"introduced":"0"},{"fixed":"b190d0e385c3d9a0e447004e9a87a2863e508403"},{"fixed":"7757f1f2d2330d49a3ebb40194f5ec4c8eaf8186"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.7.6"}]}}],"versions":["1.0.8","2.6.1","2.6.2","2.6.3","2.6.4","2.7.1","2.7.2","2.7.3","2.7.4","2.7.5","N1963","N2011","N2016","N941","N941-2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41245.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"}]}