Cyber Resilience

CVE-2023-47488

Medium

Published: 09 November 2023

Published
09 November 2023
Modified
29 September 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0463 89.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-47488 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Combodo Itop. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-47488 is a cross-site scripting vulnerability affecting Combodo iTop version 3.1.0-2-11973. It is triggered by unsanitized input in the attrib_manager_id parameter on the General Information page and the id parameter on the contact page, allowing injection of crafted scripts and falling under CWE-79 with a CVSS 3.1 score of 6.1.

An unauthenticated remote attacker can exploit the flaw by supplying a malicious payload that executes in the context of another user's browser session, enabling theft of sensitive information through reflected or stored script execution that requires user interaction to trigger.

The listed references consist of researcher write-ups and proof-of-concept pages rather than vendor advisories, so no official mitigation guidance is available in the provided data. The associated EPSS score remains low with only minimal movement between its current value of 0.0463 and recorded peak of 0.0511.

EU & UK References

Vulnerability details

Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a crafted script to the attrib_manager_id parameter in the General Information page and the id parameter in the contact page.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

combodo
itop
3.1.0-2-11973

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References