CVE-2024-6202

Published: Aug 6, 2024Modified: Aug 29, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

HaloITSM versions up to 2.146.1 are affected by a SAML XML Signature Wrapping (XSW) vulnerability. When having a SAML integration configured, anonymous actors could impersonate arbitrary HaloITSM users by just knowing their email address. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability.

Affected (2)

Products: Haloservicesolutions: Haloitsm

Haloservicesolutions

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Haloservicesolutions Haloitsm	Before 2.143.61
Haloservicesolutions Haloitsm	From 2.144 to 2.146.1

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (1)

https://haloitsm.com/guides/article/?kbid=2154

Source: vulnerability@ncsc.ch

Vendor Advisory

Timeline

No history available yet.