CVE-2024-21838: 
Gallagher Command Centre vulnerability analysis and mitigation

CVE-2024-21838 is a security vulnerability affecting the email generation feature of the Gallagher Command Centre Server. The vulnerability was discovered internally by Gallagher and disclosed in March 2024. It affects multiple versions of Gallagher Command Centre including 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), and all versions of 8.60 and prior (Gallagher Advisory).

The vulnerability is classified as an improper neutralization of special elements in output (CWE-74) that could lead to HTML code injection in emails generated by Command Centre. The CVSS v3.1 base score is 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N according to NVD, while Gallagher rates it with a CVSS score of 6.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N (NVD, Gallagher Advisory).

The vulnerability affects only sites making use of Command Centre to send emails. If exploited, it could allow an attacker to inject HTML code into emails generated by the Command Centre system, potentially leading to unauthorized manipulation of email content (Gallagher Advisory).

Gallagher has released maintenance releases to address this vulnerability: v9.00.1774 (MR2) for v9.00, v8.90.1751 (MR3) for v8.90, v8.80.1526 (MR4) for v8.80, and v8.70.2526 (MR6) for v8.70. Users are advised to upgrade to these patched versions (Gallagher Advisory).