Lucene search

NCSC.chCVELIST:CVE-2024-6200

HistoryAug 06, 2024 - 5:54 a.m.

CVE-2024-6200 HaloITSM - Stored Cross-Site Scripting in Tickets

2024-08-0605:54:53

CWE-79

NCSC.ch

www.cve.org

haloitsm

stored cross-site scripting

tickets

vulnerability

javascript

patch

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS

Percentile

14.7%

JSON

HaloITSM versions up to 2.146.1 are affected by a Stored Cross-Site Scripting (XSS) vulnerability. The injected JavaScript code can execute arbitrary action on behalf of the user accessing a ticket. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "HaloITSM",
    "vendor": "Halo Service Solutions",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.146.1"
      }
    ]
  }
]

References

haloitsm.com/guides/article/?kbid=2152

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS

Percentile

14.7%

JSON

Related for CVELIST:CVE-2024-6200