{"id":"CVE-2023-48710","summary":"iTop limit pages/exec.php script to PHP files","details":"iTop is an IT service management platform.  Files from the `env-production` folder can be retrieved even though they should have restricted access.  Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. \n The `pages/exec.php` script as been fixed to limit execution of PHP files only.  Other file types won't be retrieved and exposed.  The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0.","aliases":["GHSA-g652-q7cc-7hfc"],"modified":"2026-04-10T05:05:46.025266Z","published":"2024-04-15T17:47:51.113Z","database_specific":{"cwe_ids":["CWE-552"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/48xxx/CVE-2023-48710.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/48xxx/CVE-2023-48710.json"},{"type":"ADVISORY","url":"https://github.com/Combodo/iTop/security/advisories/GHSA-g652-q7cc-7hfc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48710"},{"type":"FIX","url":"https://github.com/Combodo/iTop/commit/3b2da39469f7a4636ed250ed0d33f4efff38be26"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/combodo/itop","events":[{"introduced":"0"},{"fixed":"2fd9523c16d9183c2be282b98a58ce15bf74a365"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.7.10"}]}},{"type":"GIT","repo":"https://github.com/combodo/itop","events":[{"introduced":"682c821d0ef14224b2182ea5840ae1739600bc22"},{"fixed":"b8892e965161992618dbfdbe6aa89eda79d6c92d"}],"database_specific":{"versions":[{"introduced":"3.0.0"},{"fixed":"3.0.4"}]}},{"type":"GIT","repo":"https://github.com/combodo/itop","events":[{"introduced":"9b409b117f4b5308678d6ab4f3e3ea6dc1fd58cd"},{"fixed":"be699b4358b253d34835f763316877a66e1ba072"}],"database_specific":{"versions":[{"introduced":"3.1.0"},{"fixed":"3.1.1"}]}}],"versions":["1.0.8","2.6.1","2.6.2","2.6.3","2.7.1","2.7.2","2.7.3","2.7.4","2.7.5","2.7.6","2.7.7","2.7.8","2.7.9","3.0.0","3.0.1","3.0.1-designer-feature-lot1","3.0.1-designer-feature-lot2","3.0.2-rc1","3.0.3","3.0.3-designer-php8.0-compatibility","N1963","N2011","N2016","N941","N941-2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-48710.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}