CVE-2024-42407

Severity: High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Components affected: Command Centre Server

Version of Command Centre affected:

9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90 prior to 8.90.2356 (MR6), all versions of 8.80 and prior.

Reported by: Gallagher internal

Active exploitation of vulnerability*: No

Description of vulnerability: Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access.

Mitigating Factor: Only sites making use of the Alarm Transmitter feature  and CSV Protocol are affected. 

Maintenance releases are now available for:

• v9.10 - v9.10.2149 (MR4)
• v9.00 - v9.00.2374 (MR5)
• v8.90 - v8.90.2356 (MR6)

Important notes:

*This indicates whether Gallagher are aware of this being actively exploited against customer sites at the time of publication.