CVE-2025-47773 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in Combodo iTop, a widely used web-based IT service management (ITSM) platform. The flaw exists in versions prior to 2.7.13 and between 3.0.0-alpha and before 3.2.2, specifically triggered when a dashboard is edited through an AJAX call. The vulnerability stems from improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that execute in the context of the victim's browser. This can lead to session hijacking, credential theft, unauthorized actions, or distribution of malware. The vulnerability is remotely exploitable over the network without requiring authentication, but it does require user interaction, such as an administrator or user editing a dashboard. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. Although no known exploits have been reported in the wild, the widespread use of iTop in ITSM environments makes this vulnerability a significant risk. The vendor addressed the issue in versions 2.7.13 and 3.2.2 by implementing proper HTML content protection and input sanitization during dashboard edits. Organizations running vulnerable versions should prioritize patching to mitigate potential exploitation.

For European organizations, this vulnerability poses a substantial risk due to the critical role of ITSM tools like iTop in managing IT infrastructure and services. Exploitation could lead to unauthorized access to sensitive IT management data, manipulation of service configurations, and disruption of IT operations. Confidentiality breaches could expose internal processes, user credentials, and sensitive organizational data. Integrity violations might allow attackers to alter dashboards or configurations, potentially causing mismanagement or service outages. Availability impacts could arise if attackers leverage the vulnerability to execute denial-of-service attacks or propagate malware. Given the remote exploitability without authentication, attackers can target exposed iTop instances over the internet or internal networks, increasing the attack surface. European organizations in sectors such as finance, healthcare, government, and critical infrastructure, which rely heavily on ITSM platforms, face heightened risks. The lack of known exploits in the wild currently provides a window for proactive defense, but the high CVSS score underscores the urgency of mitigation.

1. Immediate upgrade to Combodo iTop versions 2.7.13 or 3.2.2 and later, where the vulnerability is patched. 2. If immediate upgrade is not feasible, implement strict input validation and output encoding on all user-supplied data in dashboard editing functionalities, especially those involving AJAX calls. 3. Restrict access to iTop web interfaces to trusted networks and enforce strong access controls to minimize exposure. 4. Employ web application firewalls (WAFs) with rules targeting XSS attack patterns to provide an additional layer of defense. 5. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. 6. Educate administrators and users about the risks of interacting with untrusted content or links within the iTop environment. 7. Monitor logs and network traffic for unusual activities indicative of attempted exploitation. 8. Consider implementing Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks. These measures combined will reduce the risk of exploitation and limit potential damage.