CVE-2024-21838

Summary

Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre.

This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6),  all version of 8.60 and prior.

Affected Software

VendorProductVersion RangeStatus
GallagherCommand Centre Server0 <= 8.60affected
GallagherCommand Centre Server9.00 < vEL9.00.1774 (MR2)affected
GallagherCommand Centre Server8.90 < vEL8.90.1751 (MR3)affected
GallagherCommand Centre Server8.80 < vEL8.80.1526 (MR4)affected
GallagherCommand Centre Server8.70 < vEL8.70.2526affected

Weaknesses

  • CWE-74: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References