Our mission
At Syncode, our goal has always been to proactively hunt for vulnerabilities—not just wait for the next breach. In late 2022 and 2023, our security team uncovered eight critical security flaws across two enterprise-grade platforms: iTop, an open-source ITSM used by hundreds of global companies, and Axiell Iguana CMS, a library and digital content management system deployed in museums and libraries across Europe.
In this post, we walk you through how we identified, validated, and responsibly disclosed these vulnerabilities—culminating in eight official CVEs that are now patched. Whether you’re a pentester, software vendor, or sysadmin, these findings carry lessons for anyone managing software at scale.
How we work
Our journey with Axiell Iguana CMS started through the Responsible Disclosure program of the City of The Hague, hosted on Zerocopter. While testing Bibliotheek Den Haag's infrastructure, we identified vulnerabilities inside their CMS software — which we later traced to Axiell Iguana. After disclosing to Den Haag, we decided to pursue official CVE assignments to improve visibility and ensure long-term remediation.
The iTop vulnerabilities were discovered independently while browsing open-source projects on GitHub. We noticed exposed endpoints and reflected input handling issues — so we audited the platform further and reported everything via GitHub’s official security disclosure channel. This was a pure good-will effort to improve the open-source security landscape.
Disclosure process
For the Axiell Iguana CMS vulnerabilities, we worked with the Dutch Institute for Vulnerability Disclosure (DIVD), who helped coordinate communication with Axiell and ensure fixes were responsibly deployed. Their assistance was crucial in verifying the issues and helping assign CVEs.
For the iTop vulnerabilities in Combodo’s platform, we used the public security reporting interface via GitHub. Through GitHub's “Report a Vulnerability” feature, we submitted the findings directly to the Combodo team. They responded promptly and resolved all four issues in version 3.0.4 and later. GitHub advisories were published for full transparency.
We appreciate the professional response and collaboration from both Axiell and Combodo. This process reflects how responsible disclosure can strengthen global software ecosystems.
Vulnerabilities we reported
Axiell Iguana CMS Vulnerabilities
Axiell's Iguana CMS is a web-based content management system designed for libraries, archives, and museums. Built by Axiell Group, one of the largest cultural tech providers in Europe, Iguana helps public institutions curate and publish digital collections. It is widely adopted across Nordic countries and the Netherlands, often integrated into municipal digital library services.
CVE-2022-45049
Vulnerability: Reflected XSS in novelist.php
Impact: Executable JavaScript payloads triggered via the url parameter, affecting library user sessions.
Link: MITRE CVE-2022-45049
CVE-2022-45050
Vulnerability: Reflected XSS in twitter.php
Impact: The title parameter was not sanitized. JavaScript could be injected into shared links from the CMS homepage.
Link: NVD CVE-2022-45050
CVE-2022-45051
Vulnerability: Reflected XSS in Service.template.cls
Impact: Crafted module values could inject script context into staff dashboards.
Link: NVD CVE-2022-45051
CVE-2022-45052
Vulnerability: Local File Inclusion in Proxy.type.php and imageProxy.type.php
Impact: Arbitrary local files could be accessed using encoded url values, exposing config and password data.
Link: NVD CVE-2022-45052
Combodo iTop Vulnerabilities
iTop (IT Operations Portal) is an open-source IT Service Management platform developed by Combodo. It's used to manage CMDBs, service desks, incident and change workflows, and is popular among IT departments and managed service providers. It has been downloaded hundreds of thousands of times and powers IT workflows in sectors ranging from finance and government to universities and telecoms.
CVE-2023-34444
Vulnerability: XSS in ajax.searchform.php
Impact: Reflected script execution in the advanced search UI. Useful for phishing and session hijack.
Links: NVD • GitHub Advisory
CVE-2023-34445
Vulnerability: XSS in ajax.render.php
Impact: Script injection possible through HTML rendering function. Could persist in dashboards.
Links: NVD • GitHub Advisory
CVE-2023-34446
Vulnerability: XSS in preferences.php
Impact: User preferences were reflected into the DOM unsanitized. Could lead to privilege escalation in shared systems.
Link: NVD CVE-2023-34446
CVE-2023-34447
Vulnerability: XSS in UI.php
Impact: Persistent XSS using improperly escaped parameters in the admin panel. Could compromise session cookies.
Links: NVD • GitHub Advisory
Impact & acknowledgements
These findings demonstrate the importance of deep manual analysis combined with automation. Both Axiell and Combodo acted swiftly in deploying patches and releasing public CVEs. We're proud to contribute to the improvement of software relied on by thousands of organizations.
If you're a vendor or enterprise using open-source platforms like iTop or Iguana CMS, make sure your systems are up to date with the latest patches.
Let’s secure your software
Our expert pentesters simulate attacks to uncover real-world vulnerabilities.
