CVE-2024-21838

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

Published: Mar 5, 2024 / Updated: 8mo ago

010
CVSS 6.8EPSS 0.04%Medium
CVE info copied to clipboard

Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-21838

Mar 4, 2024 at 7:15 PM
First Article

Feedly found the first article mentioning CVE-2024-21838. See article

Mar 5, 2024 at 3:24 AM / National Vulnerability Database
EPSS

EPSS Score was set to: 0.04% (Percentile: 7%)

Mar 5, 2024 at 2:59 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 16, 2024 at 7:03 PM
Static CVE Timeline Graph

Affected Systems

Gallagher/command_centre
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:None
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI