Email Generation Feature Vulnerable to HTML Code Injection
CVE-2024-21838

5.4MEDIUM

Key Information:

Vendor: Gallagher
Status: Command Centre Server
Vendor: CVE Published:; 5 March 2024

What is CVE-2024-21838?

Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre.

This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior.

Affected Version(s)

Command Centre Server 0 <= 8.60

Command Centre Server 9.00

Command Centre Server 8.90

References

https://security.gallagher.com/en-NZ/Security-Advisories/...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2024
Vulnerability Reserved
Feb 5, 2024