Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-21838

Severity CVSS v4.0:
Pending analysis
Type:
CWE-74 Injection
Publication date:
05/03/2024
Last modified:
10/02/2025

Description

<br /> Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. <br /> <br /> This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6),  all version of 8.60 and prior.<br /> <br /> <br /> <br />

Impact

Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N CVSS v3.1 Severity and Metrics:

Base Score: 6.80 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): None
Integrity (I): High
Availability (A): None

Base Score 3.x
6.80
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:* 8.60 (including)
cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:* 8.70 (including) 8.70.2526 (excluding)
cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:* 8.80 (including) 8.80.1526 (excluding)
cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:* 8.90 (including) 8.90.1751 (excluding)
cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:* 9.00 (including) 9.00.1774 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools