CVE-2025-40846 HIGH

CVE-2025-40846: HaloITSM open redirect via the returnUrl

Weakness CWE-20 · Input validation
Published May 8, 2025
Last update May 8, 2025

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/RE:L/U:Red

What the vulnerability does

01Description

Improper Input Validation, the returnUrl parameter in Account Security Settings lacks proper input validation, allowing attackers to redirect users to malicious websites (Open Redirect) and inject JavaScript code to perform cross site scripting attack. The vulnerability affects Halo versions up to 2.174.101 and all versions between 2.175.1 and 2.184.21

Key dates

02Disclosure timeline

May 8, 2025 CVE published
May 8, 2025 Record updated