CVE-2025-40846 HaloITSM open redirect via the returnUrl

Improper Input Validation, the returnUrl parameter in Account Security Settings lacks proper input validation, allowing attackers to redirect users to malicious websites Open Redirect and inject JavaScript code to perform cross site scripting attack. The vulnerability affects Halo versions up to...

CVE-2024-6200

HaloITSM versions up to 2.146.1 are affected by a Stored Cross-Site Scripting XSS vulnerability. The injected JavaScript code can execute arbitrary action on behalf of the user accessing a ticket. HaloITSM versions past 2.146.1 and patches starting from 2.143.61 fix the mentioned vulnerability...

CVE-2024-6202

HaloITSM versions up to 2.146.1 are affected by a SAML XML Signature Wrapping XSW vulnerability. When having a SAML integration configured, anonymous actors could impersonate arbitrary HaloITSM users by just knowing their email address. HaloITSM versions past 2.146.1 and patches starting from...

CVE-2024-6203

HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users given their email address is known. When these poisoned links get accessed e.g. manually by the victim or automatically by an email client...

CVE-2024-6201

HaloITSM versions up to 2.146.1 are affected by a Template Injection vulnerability within the engine used to generate emails. This can lead to the leakage of potentially sensitive information. HaloITSM versions past 2.146.1 and patches starting from 2.143.61 fix the mentioned vulnerability...

CVE-2024-6200

HaloITSM versions up to 2.146.1 are affected by a Stored Cross-Site Scripting XSS vulnerability. The injected JavaScript code can execute arbitrary action on behalf of the user accessing a ticket. HaloITSM versions past 2.146.1 and patches starting from 2.143.61 fix the mentioned vulnerability...

CVE-2024-6201

HaloITSM versions up to 2.146.1 are affected by a Template Injection vulnerability within the engine used to generate emails. This can lead to the leakage of potentially sensitive information. HaloITSM versions past 2.146.1 and patches starting from 2.143.61 fix the mentioned vulnerability...

CVE-2024-6203 HaloITSM - Password Reset Poisoning

HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users given their email address is known. When these poisoned links get accessed e.g. manually by the victim or automatically by an email client...

CVE-2024-6203

HaloITSM is affected by a Password Reset Poisoning vulnerability (CVE-2024-6203) affecting versions up to 2.146.1. The issue allows sending poisoned password reset links to existing users, and when such a link is accessed, the password reset token can be leaked to an attacker, enabling password c...

CVE-2024-6203 HaloITSM - Password Reset Poisoning

HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users given their email address is known. When these poisoned links get accessed e.g. manually by the victim or automatically by an email client...

CVE-2024-6202 HaloITSM - SAML XML Signature Wrapping (XSW)

HaloITSM versions up to 2.146.1 are affected by a SAML XML Signature Wrapping XSW vulnerability. When having a SAML integration configured, anonymous actors could impersonate arbitrary HaloITSM users by just knowing their email address. HaloITSM versions past 2.146.1 and patches starting from...

CVE-2024-6202

CVE-2024-6202 concerns HaloITSM. A SAML XML Signature Wrapping (XSW) vulnerability affects HaloITSM versions up to 2.146.1 with a SAML integration configured, allowing anonymous actors to impersonate arbitrary HaloITSM users by knowing their email address. The issue is addressed in versions past ...

CVE-2024-6202 HaloITSM - SAML XML Signature Wrapping (XSW)

HaloITSM versions up to 2.146.1 are affected by a SAML XML Signature Wrapping XSW vulnerability. When having a SAML integration configured, anonymous actors could impersonate arbitrary HaloITSM users by just knowing their email address. HaloITSM versions past 2.146.1 and patches starting from...

CVE-2024-6201

HaloITSM is affected by a Template Injection vulnerability in the email-generation engine. Affected: HaloITSM versions up to 2.146.1. Impact: leakage of potentially sensitive information. Remediation: apply patches starting from 2.143.61 or upgrade to a version past 2.146.1, as referenced by the ...

CVE-2024-6201 HaloITSM - Emailing Template Injection

HaloITSM versions up to 2.146.1 are affected by a Template Injection vulnerability within the engine used to generate emails. This can lead to the leakage of potentially sensitive information. HaloITSM versions past 2.146.1 and patches starting from 2.143.61 fix the mentioned vulnerability...

CVE-2024-6201 HaloITSM - Emailing Template Injection

HaloITSM versions up to 2.146.1 are affected by a Template Injection vulnerability within the engine used to generate emails. This can lead to the leakage of potentially sensitive information. HaloITSM versions past 2.146.1 and patches starting from 2.143.61 fix the mentioned vulnerability...

CVE-2024-6200 HaloITSM - Stored Cross-Site Scripting in Tickets

HaloITSM versions up to 2.146.1 are affected by a Stored Cross-Site Scripting XSS vulnerability. The injected JavaScript code can execute arbitrary action on behalf of the user accessing a ticket. HaloITSM versions past 2.146.1 and patches starting from 2.143.61 fix the mentioned vulnerability...

CVE-2024-6200

CVE-2024-6200 affects HaloITSM up to version 2.146.1, with a stored Cross-Site Scripting (XSS) vulnerability in tickets. The injected JavaScript can perform actions on behalf of a user accessing a ticket. The issue is mitigated by upgrading to versions past 2.146.1 and applying patches from 2.143...

CVE-2024-6200 HaloITSM - Stored Cross-Site Scripting in Tickets

HaloITSM versions up to 2.146.1 are affected by a Stored Cross-Site Scripting XSS vulnerability. The injected JavaScript code can execute arbitrary action on behalf of the user accessing a ticket. HaloITSM versions past 2.146.1 and patches starting from 2.143.61 fix the mentioned vulnerability...