CVE-2023-48710: iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. H...

Description

iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won't be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.72%

49.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Combodo	Itop	< 2.7.10
Combodo	Itop	>= 3.0.0, < 3.0.4
Combodo	Itop	>= 3.1.0, < 3.1.1

References

Timeline

Published: Apr 15, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2023-48710?

iTop is an IT service management platform. Files from the `env-production` folder can be retrieved even though they should have restricted access. Hopefully, there is no sensitive files stored in that folder natively, but there could be from a third-party module. The `pages/exec.php` script as been fixed to limit execution of PHP files only. Other file types won't be retrieved and exposed. The vulnerability is fixed in 2.7.10, 3.0.4, 3.1.1, and 3.2.0.

How severe is CVE-2023-48710?

CVE-2023-48710 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.72% probability of exploitation in the next 30 days.

How do I fix CVE-2023-48710?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.