CVE-2024-21838

Severity: Medium CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Components affected: Command Centre Server

Version of Command Centre affected:  9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior.

Reported by: Gallagher Internal

Active exploitation of vulnerability*: No

Description of vulnerability: Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. 

This issue affects: Gallagher Command Centre: 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6),  all version of 8.60 and prior.

Mitigation: Only sites making use of Command Centre to send emails are affected. 

Maintenance releases are now available for:

• ·v9.00 - v9.00.1774 (MR2)
• ·v8.90 - v8.90.1751 (MR3)
• ·v8.80 - v8.80.1526 (MR4)
• ·v8.70 - v8.70.2526 (MR6)

Important notes:

*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.