CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6203 – HaloITSM - Password Reset Poisoning
https://notcve.org/view.php?id=CVE-2024-6203
06 Aug 2024 — HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users (given their email address is known). When these poisoned links get accessed (e.g. manually by the victim or automatically by an email client software), the password reset token is leaked to the malicious actor, allowing them to set a new password for the victim's account.This potentially leads to account takeover attacks.HaloITSM versions past 2.146.... • https://haloitsm.com/guides/article/?kbid=2155 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6202 – HaloITSM - SAML XML Signature Wrapping (XSW)
https://notcve.org/view.php?id=CVE-2024-6202
06 Aug 2024 — HaloITSM versions up to 2.146.1 are affected by a SAML XML Signature Wrapping (XSW) vulnerability. When having a SAML integration configured, anonymous actors could impersonate arbitrary HaloITSM users by just knowing their email address. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability. Las versiones de HaloITSM hasta 2.146.1 se ven afectadas por una vulnerabilidad SAML XML Signature Wrapping (XSW). Al tener configurada una integración SAML, los actores a... • https://haloitsm.com/guides/article/?kbid=2154 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6201 – HaloITSM - Emailing Template Injection
https://notcve.org/view.php?id=CVE-2024-6201
06 Aug 2024 — HaloITSM versions up to 2.146.1 are affected by a Template Injection vulnerability within the engine used to generate emails. This can lead to the leakage of potentially sensitive information. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability. Las versiones de HaloITSM hasta la 2.146.1 se ven afectadas por una vulnerabilidad de inyección de plantilla dentro del motor utilizado para generar correos electrónicos. Esto puede provocar la filtración de informaci... • https://haloitsm.com/guides/article/?kbid=2153 •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6200 – HaloITSM - Stored Cross-Site Scripting in Tickets
https://notcve.org/view.php?id=CVE-2024-6200
06 Aug 2024 — HaloITSM versions up to 2.146.1 are affected by a Stored Cross-Site Scripting (XSS) vulnerability. The injected JavaScript code can execute arbitrary action on behalf of the user accessing a ticket. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability. Las versiones de HaloITSM hasta 2.146.1 se ven afectadas por una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado. El código JavaScript inyectado puede ejecutar acciones arbitrarias en nombre del usuario ... • https://haloitsm.com/guides/article/?kbid=2152 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •