{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21838", "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "state": "PUBLISHED", "assignerShortName": "Gallagher", "dateReserved": "2024-02-05T04:16:47.986Z", "datePublished": "2024-03-05T03:11:55.586Z", "dateUpdated": "2024-08-01T22:27:36.320Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Command Centre Server", "vendor": "Gallagher ", "versions": [{"lessThanOrEqual": "8.60", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "vEL9.00.1774 (MR2)", "status": "affected", "version": "9.00", "versionType": "custom"}, {"lessThan": "vEL8.90.1751 (MR3)", "status": "affected", "version": "8.90", "versionType": "custom"}, {"lessThan": "vEL8.80.1526 (MR4)", "status": "affected", "version": "8.80", "versionType": "custom"}, {"lessThan": "vEL8.70.2526", "status": "affected", "version": "8.70", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Only sites making use of Command Centre to send emails are affected. </span>\n\n<br>"}], "value": "\nOnly sites making use of Command Centre to send emails are affected. \n\n\n"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. </span><br><span style=\"background-color: rgb(255, 255, 255);\"><br>This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), &nbsp;all version of 8.60 and prior.</span>\n\n<p></p>"}], "value": "\nImproper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. \n\nThis issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), \u00a0all version of 8.60 and prior.\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "shortName": "Gallagher", "dateUpdated": "2024-03-05T03:11:55.586Z"}, "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-21838"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21838", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-05T15:42:22.095197Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:38:11.847Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.320Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-21838", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-21838", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:36.320Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21838", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-05T15:42:22.095197Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:14.986Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Gallagher ", "product": "Command Centre Server", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "8.60"}, {"status": "affected", "version": "9.00", "lessThan": "vEL9.00.1774 (MR2)", "versionType": "custom"}, {"status": "affected", "version": "8.90", "lessThan": "vEL8.90.1751 (MR3)", "versionType": "custom"}, {"status": "affected", "version": "8.80", "lessThan": "vEL8.80.1526 (MR4)", "versionType": "custom"}, {"status": "affected", "version": "8.70", "lessThan": "vEL8.70.2526", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-21838"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\nImproper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. \n\nThis issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), \u00a0all version of 8.60 and prior.\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. </span><br><span style=\"background-color: rgb(255, 255, 255);\"><br>This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), &nbsp;all version of 8.60 and prior.</span>\n\n<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "configurations": [{"lang": "en", "value": "\nOnly sites making use of Command Centre to send emails are affected. \n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Only sites making use of Command Centre to send emails are affected. </span>\n\n<br>", "base64": false}]}], "providerMetadata": {"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "shortName": "Gallagher", "dateUpdated": "2024-03-05T03:11:55.586Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21838", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:27:36.320Z", "dateReserved": "2024-02-05T04:16:47.986Z", "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "datePublished": "2024-03-05T03:11:55.586Z", "assignerShortName": "Gallagher"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6CB4E79-0153-4DB1-BE98-91A39FB06C5A", "versionEndIncluding": "8.60", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA675A52-8CC9-4A20-8EB1-7A066FB8E3C0", "versionEndExcluding": "8.70.2526", "versionStartIncluding": "8.70", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BCEEB9A-DB54-4FFB-A596-29E7329958F3", "versionEndExcluding": "8.80.1526", "versionStartIncluding": "8.80", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "5770EF66-119E-414B-9188-53D5935D8CFC", "versionEndExcluding": "8.90.1751", "versionStartIncluding": "8.90", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC849EB3-3967-4018-B28E-83C39E99BB6A", "versionEndExcluding": "9.00.1774", "versionStartIncluding": "9.00", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nImproper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. \n\nThis issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), \u00a0all version of 8.60 and prior.\n\n\n\n"}, {"lang": "es", "value": "La neutralizaci\u00f3n inadecuada de elementos especiales en la salida (CWE-74) utilizados por la funci\u00f3n de generaci\u00f3n de correo electr\u00f3nico de Command Centre Server podr\u00eda provocar la inyecci\u00f3n de c\u00f3digo HTML en los correos electr\u00f3nicos generados por Command Center. Este problema afecta a: Gallagher Command Center 9.00 anterior a vEL9.00.1774 (MR2), 8.90 anterior a vEL8.90.1751 (MR3), 8.80 anterior a vEL8.80.1526 (MR4), 8.70 anterior a vEL8.70.2526 (MR6), todas las versiones de 8.60 y anteriores."}], "id": "CVE-2024-21838", "lastModified": "2025-02-10T22:33:35.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "disclosures@gallagher.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-05T03:15:06.280", "references": [{"source": "disclosures@gallagher.com", "tags": ["Vendor Advisory"], "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-21838"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-21838"}], "sourceIdentifier": "disclosures@gallagher.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "disclosures@gallagher.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}