Thanks for the feedback, but for security issue, it's not recommended to make it public. Ticket is not the right process, please use this one
This allows you to get private feedback on fix progress.
Last edit: Vincent @ Combodo 2023-11-06
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Status: closed Milestone: 3.1.0 Created: Sun Nov 05, 2023 04:04 PM UTC by Nguyễn Hữu Cường Last Updated: Wed Nov 08, 2023 08:16 AM UTC Owner: Vincent @ Combodo
Hi,
During my research, I discovered a Stored XSS vulnerability in your
application.
My PoC is in the attached file.
Status: closed Milestone: 3.1.0 Created: Sun Nov 05, 2023 04:04 PM UTC by Nguyễn Hữu Cường Last Updated: Mon Nov 13, 2023 07:51 AM UTC Owner: Vincent @ Combodo
Hi,
During my research, I discovered a Stored XSS vulnerability in your
application.
My PoC is in the attached file.
We requested a CVE for the vulnerability and credited you as the reporter.
To have all these information please reply to the email you received from Combodo, it is the proper way of communication until the vulnerability is disclosed to the public.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Status: closed Milestone: 3.1.0 Created: Sun Nov 05, 2023 04:04 PM UTC by Nguyễn Hữu Cường Last Updated: Fri Nov 24, 2023 08:32 AM UTC Owner: Vincent @ Combodo
Hi,
During my research, I discovered a Stored XSS vulnerability in your
application.
My PoC is in the attached file.
Status: closed Milestone: 3.1.0 Created: Sun Nov 05, 2023 04:04 PM UTC by Nguyễn Hữu Cường Last Updated: Tue Dec 19, 2023 08:55 AM UTC Owner: Vincent @ Combodo
Hi,
During my research, I discovered a Stored XSS vulnerability in your
application.
My PoC is in the attached file.
I saw you posted cve-2023-47123 on https://www.itophub.io/. But I have not
received any information about cve-2023-47123. Can you give me more
information about CVE-2023-47123?
Status: closed Milestone: 3.1.0 Created: Sun Nov 05, 2023 04:04 PM UTC by Nguyễn Hữu Cường Last Updated: Tue Dec 19, 2023 08:55 AM UTC Owner: Vincent @ Combodo
Hi,
During my research, I discovered a Stored XSS vulnerability in your
application.
My PoC is in the attached file.
According to our security policy and as mentioned in my previous message the CVEs are published 3 month after the release of the correcting version.
The 3.1.1-1 has been released in January so the corresponding CVEs will be published next month.
Thanks for your understanding,
Ben
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the feedback, but for security issue, it's not recommended to make it public. Ticket is not the right process, please use this one
This allows you to get private feedback on fix progress.
Last edit: Vincent @ Combodo 2023-11-06
Diff:
I sent you an email but I haven't received any response yet
Hello,
This as been tracked under N°6917 and fixed.
Vincent will provide more details via the request you opened on our portal :)
Thanks!
Guillaume
Tracked as N°6917, was it found by me or did someone else find it?
Vào Th 6, 10 thg 11, 2023 vào lúc 17:03 Guillaume Lajarige glajarige@users.sourceforge.net đã viết:
Related
Tickets:
#2204It was find by you yes.
With the vulnerability I found, can I receive CVE or bounty?
Vào Th 5, 23 thg 11, 2023 vào lúc 20:56 Guillaume Lajarige glajarige@users.sourceforge.net đã viết:
Related
Tickets:
#2204We requested a CVE for the vulnerability and credited you as the reporter.
To have all these information please reply to the email you received from Combodo, it is the proper way of communication until the vulnerability is disclosed to the public.
@cisou
Thank you very much. I hope to receive an email from Combodo soon.
Vào Th 6, 24 thg 11, 2023 vào lúc 15:34 Guillaume Lajarige glajarige@users.sourceforge.net đã viết:
Related
Tickets:
#2204I have seen CVE-2023-47488 related to itop published on the internet but I have not seen any information sent to me.
Hello, I forwarding this to the person handling it.
Thanks,
Guillaume
I look forward to hearing from you officially and I have also discovered some security issues. Can I send it to this email itop-security@combodo.com?
Yes, please send them to that email address, I'll ensure that someone acknowledge it.
Hello,
I sent you a mail the 26-11-2023 at 09:29:00 from support@combodo.com
The CVE-2023-47123 has been reserved.
According to our security policy it'll be published 3 month after the release of the 3.1.1 version as explain by Vincent previously.
You'll be credited on the CVE. Unfortunately we do not offer bounties.
Thanks a lot for your contribution.
Best regards,
Ben
I have searched all mails but I have not received any mails from
support@combodo.com.
Vào Th 3, 19 thg 12, 2023 vào lúc 17:10 BenGrenoble benplan@users.sourceforge.net đã viết:
Related
Tickets:
#2204Hi,
I saw you posted cve-2023-47123 on https://www.itophub.io/. But I have not
received any information about cve-2023-47123. Can you give me more
information about CVE-2023-47123?
Thanks
Vào Th 3, 19 thg 12, 2023 vào lúc 17:10 BenGrenoble benplan@users.sourceforge.net đã viết:
Related
Tickets:
#2204Hello,
This was fixed in iTop 3.1.1-1 which is now available for download here :)
Take care,
Guillaume
Hello,
According to our security policy and as mentioned in my previous message the CVEs are published 3 month after the release of the correcting version.
The 3.1.1-1 has been released in January so the corresponding CVEs will be published next month.
Thanks for your understanding,
Ben