CVE-2024-21838
05.03.2024, 03:15
Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior.
| Vendor | Product | Version |
|---|---|---|
| gallagher | command_centre | 𝑥 ≤ 8.60 |
| gallagher | command_centre | 8.70 ≤ 𝑥 < 8.70.2526 |
| gallagher | command_centre | 8.80 ≤ 𝑥 < 8.80.1526 |
| gallagher | command_centre | 8.90 ≤ 𝑥 < 8.90.1751 |
| gallagher | command_centre | 9.00 ≤ 𝑥 < 9.00.1774 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.