Anonymous Actors Can Impersonate Arbitrary HaloITSM Users via SAML Integration Flaw
CVE-2024-6202

9.8CRITICAL

Key Information:

Vendor: Halo Service Solutions
Status: Haloitsm
Vendor: CVE Published:; 6 August 2024

🔔 Create Halo Service Solutions Vulnerability Alert

What is CVE-2024-6202?

HaloITSM versions up to 2.146.1 are susceptible to a SAML XML Signature Wrapping vulnerability. This allows attackers to impersonate any HaloITSM user simply by knowing their email address, provided a SAML integration is configured. This significant security risk emphasizes the need for updating to HaloITSM versions beyond 2.146.1 or applying patches starting from version 2.143.61 to mitigate the issue and protect user identities.

Affected Version(s)

HaloITSM < 2.146.1

References

https://haloitsm.com/guides/article/?kbid=2154

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 6, 2024
Vulnerability Reserved
Jun 20, 2024

Credit

Damian Pfammatter, Cyber-Defence Campus (armasuisse)