{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21838", "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "state": "PUBLISHED", "assignerShortName": "Gallagher", "dateReserved": "2024-02-05T04:16:47.986Z", "datePublished": "2024-03-05T03:11:55.586Z", "dateUpdated": "2024-06-04T17:38:11.847Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Command Centre Server", "vendor": "Gallagher ", "versions": [{"lessThanOrEqual": "8.60", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "vEL9.00.1774 (MR2)", "status": "affected", "version": "9.00", "versionType": "custom"}, {"lessThan": "vEL8.90.1751 (MR3)", "status": "affected", "version": "8.90", "versionType": "custom"}, {"lessThan": "vEL8.80.1526 (MR4)", "status": "affected", "version": "8.80", "versionType": "custom"}, {"lessThan": "vEL8.70.2526", "status": "affected", "version": "8.70", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Only sites making use of Command Centre to send emails are affected. </span>\n\n<br>"}], "value": "\nOnly sites making use of Command Centre to send emails are affected. \n\n\n"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. </span><br><span style=\"background-color: rgb(255, 255, 255);\"><br>This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), &nbsp;all version of 8.60 and prior.</span>\n\n<p></p>"}], "value": "\nImproper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. \n\nThis issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), \u00a0all version of 8.60 and prior.\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "shortName": "Gallagher", "dateUpdated": "2024-03-05T03:11:55.586Z"}, "references": [{"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-21838"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21838", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-05T15:42:22.095197Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:38:11.847Z"}}]}}

{"descriptions": [{"lang": "en", "value": "\nImproper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. \n\nThis issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), \u00a0all version of 8.60 and prior.\n\n\n\n"}, {"lang": "es", "value": "La neutralizaci\u00f3n inadecuada de elementos especiales en la salida (CWE-74) utilizados por la funci\u00f3n de generaci\u00f3n de correo electr\u00f3nico de Command Centre Server podr\u00eda provocar la inyecci\u00f3n de c\u00f3digo HTML en los correos electr\u00f3nicos generados por Command Center. Este problema afecta a: Gallagher Command Center 9.00 anterior a vEL9.00.1774 (MR2), 8.90 anterior a vEL8.90.1751 (MR3), 8.80 anterior a vEL8.80.1526 (MR4), 8.70 anterior a vEL8.70.2526 (MR6), todas las versiones de 8.60 y anteriores."}], "id": "CVE-2024-21838", "lastModified": "2024-03-05T13:41:01.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "disclosures@gallagher.com", "type": "Secondary"}]}, "published": "2024-03-05T03:15:06.280", "references": [{"source": "disclosures@gallagher.com", "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-21838"}], "sourceIdentifier": "disclosures@gallagher.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "disclosures@gallagher.com", "type": "Secondary"}]}

{}