HaloITSM Guides
Documentation to assist with the setup and configuration of the HaloITSM platform
CVE-2024-6203 - Password Reset Poisoning
General Information
This article contains frequently asked questions relating to the store cross-site scripting vulnerability affecting Halo versions up to 2.143.61 and all 2.144 and 2.145 versions. Users with access to the password forgotten functionality can issue a password reset request, to the victims email address, and by manipulating the request in a specific way can force the email to contain the poisoned link. If the user were to access this link the password reset token can be leaked.
Are hosted Halo instances affected?
Hosted customers have been automatically updated to a patch to resolve this issue, and therefore no action is required by hosted customers. The patch was released on 2024-04-19 and hosted customers would have been upgraded shortly afterwards.
Are on-premises Halo instances affected?
Halo on-premises installations should apply the latest stable or beta patch to their Halo instance to resolve this issue.
- Any patch >= 2.143.61.
- Any version >= 2.146.1.
Next Steps
No action is required on the part of our customers.
We will continue to monitor our business infrastructure to ensure the same level of service and security that you expect.
Links
Popular Guides
- Asset Import - CSV/XLS/Spreadsheet Method
- Call Management in Halo
- Creating a New Application for API Connections
- Creating Agents and Editing Agent Details
- Departments, Teams and Roles
- Halo Integrator
- Importing Data
- Multiple New Portals with different branding for one customer [Hosted]
- NHServer Deprecation User Guide
- Organisation Basics
- Organising Teams of Agents
- Step-by-Step Configuration Walk Through
- Suppliers
