iTOP ITIL ITSM und CMDB Security und Bugfix Update 3.0.3

iTop Logo

Die Open Source ITIL ITSM und CMDB Webanwendung iTop, erheilt das Bugfix Update 3.0.3. Das Update schließt 6 Sicherheitslücken, behebt Fehler im Webhook und bringt Änderungen für User, Administratoren und Entwickler.

Das Update kann seit iTop 2.7.0 bequem über das Menü System -> Anwendungsupgrade durchgeführt werden.

iTOP 3.0.3 Release Notes

For users

  • N°5919 – Add missing linkset descriptions in french and other languages
  • N°5849 – Fix wrong encoding of external keys in “Header with statstics” dashlet
  • N°5317 – Handle overlapping tables when table cells have fixed widths
  • N°6068 – Setup : restore formatting of error messages
  • N°6023 – Restore upload of SVG file in AttributeImage
  • N°5918 – Restore activity panel display when DoCheckToWrite fails
  • N°5865 – Restore DoCheckToWrite error messages in portal
  • N°5834 – Restore activity panel display when creating a Ticket in ‘resolved’ state
  • N°5784 – PHP 8.0: restore mandatory attribute in transition form, fixing emptiness test
  • N°5729 – Fix disabled button in bulk update/transition when picking a value in a drop-down list
  • N°5603 – Restore autocomplete for an external key pointing to an abstract class with no friendlyname
  • N°5530 – Fix list of impacted elements (Impact Analysis) due to mixup in async JS files loading
  • N°5922 – Ext. key widget: Add class selection on “+” button if child classes exist
  • N°2916 – Fix CSV import of IPv6 addresses failing when reconciliation is done on the IP
  • N°5428 – Request template: fix autocomplete fields, which could not be master field
  • N°6014 – AttributeURL : default validation pattern not handling PRTG URL (containing commas)
  • N°5423 – Fix AttributeURL when changing the validation pattern, with a not compliant old value
  • N°5625 – Fix dict error when opening a DocumentFile with the ES language
  • N°2244 – Fix image attributes not being visible in PDF exports
  • N°5588 – Improve PDF export robustness when AttributeImage dimensions cannot be determined

For administrators

  • N°5553 – OAuth 2 : secure Client Secret in DB and any change force token regeneration
  • N°5430 – OAuth authentication : customize redirect landing URL
  • N°5333 – OAuth2: Redirect URL, Client ID or Client Secret changes trigger a message as the token must be regenerated
  • N°5867 – Display binary data size in SynchroReplica details
  • N°5727 – Fix REST API/get_related when using [impacts, up] with [redundancy: true]
  • N°6019 – Increase PHP min version to 7.1.3 to enable dependencies update
  • N°5535 – Fix PHP 8.0.x wrongly repported as not supported in iTop 3.0.2+
  • N°5490 – PHP 8.0: Fix crash of bulk modify with email notification / email approval request
  • N°5216 – Error “Invalid ID given” when sending ActionEmail using cron on a system with french locale
  • N°4974 – Avoid session fixation in login
  • N°5414 – Log invalid placeholders in Notification
  • N°5893 – Log more information when a trigger fails and raises an exception
  • N°5897 – Improve deprecated logs relevance for PHP “trigger_deprecation”
  • N°5611 – Fix missing composer files in itop-oauth-client
  • N°3805 – Fix collectors not working on itop 3.0 in seldom situations
  • N°5944 – Fix error on fresh install: APPLICATION_EVENT_METAMODEL_STARTED not registered
  • N°5765 – Setup: Never cache folder permissions test response
  • N°6016 – Setup : improve missing dependencies log
  • N°5235 – Setup : check temp dir permissions
  • N°5758 – Change setup test for GDPR consent
  • N°5523 – Setup wizard : use the ITOP_APPLICATION constant instead of hardcoded “iTop” string
  • N°5543 – Fix Warning on empty case log
  • N°5901 – Fix warnings in file system tab
  • N°5797 – Use LoadConfig method in all Email children classes
  • N°6020 – Decode method for \utils::EscapeHtml
  • N°5608 – Reorganize tests folders for better maintenance and contribution
  • N°5496 – Add <constants/> in itop-structure
  • N°4660 – Fix data synchro unit test failure due to another setting incorrect permissions on iTop conf file

WebHook 1.2.0

  • N°5368 – Allow all HTTP methods (not just GET / POST)
  • N°5589 – Fix sent request incorrect HTTP method due to new cURL options
  • N°5366 – Add “path” attribute in generic “ActionWebhook” for better compatibility with third-party webservices
  • N°5796 – Fix typo in ActionWebhook::GetRemoteApplicationConnectionFromActionWebhok()
  • N°5774 – De-hardcode webhooks configuration rights
  • N°5252 – Added Other/Generic type of Remote Application Connection
  • N°5367 – Fix non-string values (boolean, null) converted into empty string
  • N°5179 – Add chinese translations (thanks to @bdejin)
  • N°5266 – Add dutch translations (thanks to @jbostoen)
  • N°5050 – Add spanish translations (thanks to Miguel Turrubiates)
  • N°5473 – On JSON format exception, more context log and specific Exception impl (InvalidJsonValueException)


  • N°6017 – CVE-2021-46743: Firebase PHP-JWT key/algorithm type confusion
  • N°5741 – Deny use of get_config_parameter in Twigs
  • N°5725 – Prevent Twig privilege elevation to run system commands
  • N°5724 – CVE-2022-31403 : XSS vulnerability via /itop/pages/ajax.render.php
  • N°5722 – CVE-2022-31402 : XSS vulnerability via /itop/webservices/export-v2.php
  • N°5685 – Upgrade apereo/phpcas lib to fix vulnerability

For developers

  • N°3769 – Add missing HTML meta data on attributes in transition forms
  • N°4947 – Fix Email always picking “production” env config file
  • N°4449 – Console dashboard export : use relative path (full path disclosure)

Quelle: iTop Change Log [iTop Documentation] (

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert