CVE-2024-6200 HIGH

CVE-2024-6200: HaloITSM - Stored Cross-Site Scripting in Tickets

Vendor Halo Service Solutions
Product HaloITSM
Weakness CWE-79 · XSS
Published August 6, 2024
Last update August 8, 2024

CVSS base score

8.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

HaloITSM versions up to 2.146.1 are affected by a Stored Cross-Site Scripting (XSS) vulnerability. The injected JavaScript code can execute arbitrary action on behalf of the user accessing a ticket. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability.

Key dates

02Disclosure timeline

August 6, 2024 CVE published
August 8, 2024 Record updated