CVE-2024-52601 is an authorization bypass vulnerability identified in Combodo iTop, a widely used web-based IT Service Management (ITSM) tool. The vulnerability is classified under CWE-639, which pertains to authorization bypass through user-controlled keys. Specifically, in affected versions of iTop prior to 2.7.12, 3.1.3, and 3.2.1, any user with portal access privileges can exploit an unprotected route to gain unauthorized read access to objects they should not be permitted to view. This occurs because the application fails to properly enforce authorization checks on certain API endpoints or routes, allowing users to manipulate request parameters (user-controlled keys) to retrieve sensitive data. The vulnerability does not require user interaction beyond having a valid portal account, and it can be exploited remotely over the network (AV:N). The CVSS v3.1 base score is 6.5, indicating a medium severity level, with a high impact on confidentiality but no impact on integrity or availability. The flaw requires low attack complexity and only privileges of a user with portal access (PR:L), but no additional user interaction is needed. The issue has been addressed in versions 2.7.12, 3.1.3, and 3.2.1 of iTop, which implement proper authorization checks to prevent unauthorized data access. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk to organizations using affected versions of iTop, as unauthorized disclosure of sensitive ITSM data could occur.

For European organizations, the impact of CVE-2024-52601 can be significant, especially for those relying on iTop for managing IT services, assets, and configurations. Unauthorized read access to sensitive ITSM data could lead to exposure of confidential information such as internal infrastructure details, user data, service tickets, and configuration management databases. This could facilitate further targeted attacks, social engineering, or compliance violations under regulations like GDPR. The confidentiality breach could undermine trust in IT operations and potentially expose organizations to legal and reputational risks. Since the vulnerability does not affect integrity or availability, direct disruption of services is unlikely; however, the unauthorized data disclosure itself is a critical concern. European organizations with portal users, including contractors or third parties with limited access, are at risk if they operate vulnerable iTop versions. The medium severity rating suggests that while the vulnerability is not critical, it requires timely remediation to prevent potential data leaks.

To mitigate this vulnerability, European organizations should immediately upgrade their iTop installations to the fixed versions 2.7.12, 3.1.3, or 3.2.1, depending on their current version branch. If immediate upgrade is not feasible, organizations should restrict portal access to trusted users only and monitor access logs for suspicious queries targeting unprotected routes. Implementing Web Application Firewalls (WAFs) with rules to detect and block anomalous parameter manipulation can provide temporary protection. Additionally, organizations should audit user permissions to ensure minimal necessary access is granted and review ITSM data exposure policies. Regular vulnerability scanning and penetration testing focused on authorization controls in iTop deployments can help identify residual risks. Finally, maintaining an up-to-date inventory of affected software versions and applying vendor patches promptly is essential to reduce exposure.