cbcvebase.
CVE-2024-6203
published 2024-08-06

CVE-2024-6203: HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users…

PriorityP344high8.1CVSS 3.1
AVNACLPRNUIRSUCHIHAN
EPSS
0.37%
28.6th percentile
HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users (given their email address is known). When these poisoned links get accessed (e.g. manually by the victim or automatically by an email client software), the password reset token is leaked to the malicious actor, allowing them to set a new password for the victim's account.This potentially leads to account takeover attacks.HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
halo_service_solutionshaloitsm< 2.146.12.146.1
haloservicesolutionshaloitsm< 2.143.612.143.61
haloservicesolutionshaloitsm>= 2.144 < 2.146.12.146.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.