8.3

CVE-2024-6203

EPSS 0.22%
Veröffentlicht 06.08.2024 06:15:35
Zuletzt bearbeitet 29.08.2024 17:46:28
Quelle vulnerability@ncsc.ch
CVE-Watchlists
Login
Unerledigt
Login

HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users (given their email address is known). When these poisoned links get accessed (e.g. manually by the victim or automatically by an email client software), the password reset token is leaked to the malicious actor, allowing them to set a new password for the victim's account.This potentially leads to account takeover attacks.HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Haloservicesolutions ≫ Haloitsm Version < 2.143.61

Haloservicesolutions ≫ Haloitsm Version >= 2.144 < 2.146.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.449

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
vulnerability@ncsc.ch	8.3	2.8	5.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

CWE-640 Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

https://haloitsm.com/guides/article/?kbid=2155

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-6203

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-6203

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-6203

EUVD