CVE-2025-40846

Improper Input Validation, the returnUrl parameter in Account Security Settings lacks proper input validation, allowing attackers to redirect users to malicious websites (Open Redirect) and inject JavaScript code to perform cross site scripting attack. The vulnerability affects Halo versions up to 2.174.101 and all versions between 2.175.1 and 2.184.21

CVSS

No CVSS.

References

Link	Resource
https://support.haloservicedesk.com/kb?id=2501

Configurations

No configuration.

History

08 May 2025, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-08 09:15

Updated : 2025-05-08 14:39

NVD link : CVE-2025-40846

Mitre link : CVE-2025-40846

CVE.ORG link : CVE-2025-40846

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2025-40846", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "vulnerability@ncsc.ch", "cvssData": {"Safety": "PRESENT", "version": "4.0", "Recovery": "USER", "baseScore": 7.1, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:L/U:Red", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "RED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-08T09:15:20.320", "references": [{"url": "https://support.haloservicedesk.com/kb?id=2501", "source": "vulnerability@ncsc.ch"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "vulnerability@ncsc.ch", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Improper Input Validation, the returnUrl parameter in Account Security Settings lacks proper input validation, allowing attackers to redirect users to malicious websites (Open Redirect) and\u00a0inject JavaScript code to perform cross site scripting attack.\n\nThe vulnerability affects Halo versions up to 2.174.101 and all versions between 2.175.1 and 2.184.21"}], "lastModified": "2025-05-08T14:39:09.683", "sourceIdentifier": "vulnerability@ncsc.ch"}

CVE-2025-40846

JSON object

Attach tags to CVE-2025-40846

Attach tags to `CVE-2025-40846`