CVE-2025-40846

Severity CVSS v4.0:

HIGH

Type:

CWE-20 Input Validation

Publication date:

08/05/2025

Last modified:

08/05/2025

Description

Improper Input Validation, the returnUrl parameter in Account Security Settings lacks proper input validation, allowing attackers to redirect users to malicious websites (Open Redirect) and inject JavaScript code to perform cross site scripting attack.<br /> <br /> The vulnerability affects Halo versions up to 2.174.101 and all versions between 2.175.1 and 2.184.21

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/RE:L/U:Red CVSS v4.0 Severity and Metrics:

Base Score: 7.10 HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/RE:L/U:Red

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): Present
Privileges Required (PR): Low
User Interaction (UI): Active
Confidentiality (VC): High
Integrity (VI): Low
Availability (VA): None
Confidentiality (SC): High
Integrity (SI): High
Availability (SA): High
Safety (S): Present
Automatable (AU): Yes
Recovery (R): User
Vulnerability Response Effort (RE): Low
Provider Urgency (U): Red

Base Score 4.0

7.10

Severity 4.0

HIGH

References to Advisories, Solutions, and Tools

https://support.haloservicedesk.com/kb?id=2501