CVE-2024-6201

HaloITSM versions up to 2.146.1 are affected by a Template Injection vulnerability within the engine used to generate emails. This can lead to the leakage of potentially sensitive information. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://haloitsm.com/guides/article/?kbid=2153	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:haloservicesolutions:haloitsm::::::::
	cpe:2.3:a:haloservicesolutions:haloitsm::::::::

History

29 Aug 2024, 17:52

Type	Values Removed	Values Added
First Time		Haloservicesolutions Haloservicesolutions haloitsm
CWE		NVD-CWE-Other
References	~~() https://haloitsm.com/guides/article/?kbid=2153 -~~	() https://haloitsm.com/guides/article/?kbid=2153 - Vendor Advisory
CPE		cpe:2.3:a:haloservicesolutions:haloitsm::::::::

06 Aug 2024, 16:30

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-06 06:15

Updated : 2024-08-29 17:52

NVD link : CVE-2024-6201

Mitre link : CVE-2024-6201

CVE.ORG link : CVE-2024-6201

JSON object : View

Products Affected

haloservicesolutions

haloitsm

CWE

NVD-CWE-Other

{"id": "CVE-2024-6201", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "vulnerability@ncsc.ch", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-08-06T06:15:35.283", "references": [{"url": "https://haloitsm.com/guides/article/?kbid=2153", "tags": ["Vendor Advisory"], "source": "vulnerability@ncsc.ch"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "HaloITSM versions up to 2.146.1 are affected by a Template Injection vulnerability within the engine used to generate emails. This can lead to the leakage of potentially sensitive information. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability."}, {"lang": "es", "value": "Las versiones de HaloITSM hasta la 2.146.1 se ven afectadas por una vulnerabilidad de inyecci\u00f3n de plantilla dentro del motor utilizado para generar correos electr\u00f3nicos. Esto puede provocar la filtraci\u00f3n de informaci\u00f3n potencialmente confidencial. Las versiones de HaloITSM posteriores a la 2.146.1 (y los parches a partir de la 2.143.61) corrigen la vulnerabilidad mencionada."}], "lastModified": "2024-08-29T17:52:07.493", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:haloservicesolutions:haloitsm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A015991C-B19E-4216-9EDA-565C39027C93", "versionEndExcluding": "2.143.21"}, {"criteria": "cpe:2.3:a:haloservicesolutions:haloitsm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CEBD3BDE-57DA-41C9-821A-F8C6A8864FC7", "versionEndExcluding": "2.146.1", "versionStartIncluding": "2.144"}], "operator": "OR"}]}], "sourceIdentifier": "vulnerability@ncsc.ch"}