CVE-2025-40846

Published May 8, 2025

Last updated 2 months ago

Overview

Description: Improper Input Validation, the returnUrl parameter in Account Security Settings lacks proper input validation, allowing attackers to redirect users to malicious websites (Open Redirect) and inject JavaScript code to perform cross site scripting attack. The vulnerability affects Halo versions up to 2.174.101 and all versions between 2.175.1 and 2.184.21
Source: vulnerability@ncsc.ch
NVD status: Awaiting Analysis

Risk scores

CVSS 4.0

Type: Secondary
Base score: 7.1
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:X/RE:L/U:Red
Severity: HIGH

Weaknesses

vulnerability@ncsc.ch: CWE-20

Hype score: Not currently trending

🚨 CVE-2025-40846 🔴 HIGH (7.1) 🏢 HaloITSM - ITSM 🏗️ >= 2.174.101 🔗 https://t.co/hMhzR93XHh #CyberCron #VulnAlert #InfoSec https://t.co/xxE35OCGhQ
@cybercronai
8 May 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

References

Sources include official advisories and independent security research.