Vulnerabilites related to Gallagher - Command Centre Server
CVE-2024-42407 (GCVE-0-2024-42407)
Vulnerability from cvelistv5
Published
2024-12-12 01:36
Modified
2024-12-12 15:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Summary
Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access.
This issue affects: Command Centre Server 9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90 prior to 8.90.2356 (MR6), all versions of 8.80 and prior.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gallagher | Command Centre Server |
Version: 0 < Version: 9.10 < 9.10.2149 (MR4) Version: 9.00 < 9.00.2374 (MR5) Version: 8.90 < 8.90.2356 (MR6) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T15:17:42.519556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T15:18:01.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Command Centre Server",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "8.80",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "9.10.2149 (MR4)",
"status": "affected",
"version": "9.10",
"versionType": "custom"
},
{
"lessThan": "9.00.2374 (MR5)",
"status": "affected",
"version": "9.00",
"versionType": "custom"
},
{
"lessThan": "8.90.2356 (MR6)",
"status": "affected",
"version": "8.90",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInsertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access. \u003cbr\u003e\u003cbr\u003eThis issue affects: Command Centre Server 9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90 prior to 8.90.2356 (MR6),\u0026nbsp;all versions of 8.80 and prior.\n\n\u003c/span\u003e"
}
],
"value": "Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access. \n\nThis issue affects: Command Centre Server 9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90 prior to 8.90.2356 (MR6),\u00a0all versions of 8.80 and prior."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532 Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T01:36:12.364Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-42407"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2024-42407",
"datePublished": "2024-12-12T01:36:12.364Z",
"dateReserved": "2024-08-28T02:46:11.141Z",
"dateUpdated": "2024-12-12T15:18:01.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41724 (GCVE-0-2024-41724)
Vulnerability from cvelistv5
Published
2025-03-10 02:44
Modified
2025-03-10 17:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-295 - Improper Certificate Validation
Summary
Improper Certificate Validation (CWE-295) in the Gallagher Command Centre SALTO integration allowed an attacker to spoof the SALTO server.
This issue affects all versions of Gallagher Command Centre prior to 9.20.1043.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gallagher | Command Centre Server |
Version: 0 < 9.20.1043 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T17:08:41.181156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T17:10:26.436Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Command Centre Server",
"vendor": "Gallagher",
"versions": [
{
"lessThan": "9.20.1043",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eImpact of this vulnerability is limited to sites making use of the Gallagher Command Centre SALTO integration prior to 9.20.1043.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Impact of this vulnerability is limited to sites making use of the Gallagher Command Centre SALTO integration prior to 9.20.1043."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eImproper Certificate Validation (CWE-295) in the Gallagher Command Centre SALTO integration allowed an attacker to spoof the SALTO server. \u003c/span\u003e\n\n\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis issue affects all versions of Gallagher Command Centre prior to 9.20.1043.\u003c/span\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Improper Certificate Validation (CWE-295) in the Gallagher Command Centre SALTO integration allowed an attacker to spoof the SALTO server. \n\n\n\n\nThis issue affects all versions of Gallagher Command Centre prior to 9.20.1043."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T02:44:36.469Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-41724"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2024-41724",
"datePublished": "2025-03-10T02:44:36.469Z",
"dateReserved": "2024-08-28T02:46:11.159Z",
"dateUpdated": "2025-03-10T17:10:26.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21838 (GCVE-0-2024-21838)
Vulnerability from cvelistv5
Published
2024-03-05 03:11
Modified
2024-08-01 22:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
Improper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre.
This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gallagher | Command Centre Server |
Version: 0 < Version: 9.00 < vEL9.00.1774 (MR2) Version: 8.90 < vEL8.90.1751 (MR3) Version: 8.80 < vEL8.80.1526 (MR4) Version: 8.70 < vEL8.70.2526 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T15:42:22.095197Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:38:11.847Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.320Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-21838"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Command Centre Server",
"vendor": "Gallagher ",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vEL9.00.1774 (MR2)",
"status": "affected",
"version": "9.00",
"versionType": "custom"
},
{
"lessThan": "vEL8.90.1751 (MR3)",
"status": "affected",
"version": "8.90",
"versionType": "custom"
},
{
"lessThan": "vEL8.80.1526 (MR4)",
"status": "affected",
"version": "8.80",
"versionType": "custom"
},
{
"lessThan": "vEL8.70.2526",
"status": "affected",
"version": "8.70",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOnly sites making use of Command Centre to send emails are affected. \u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nOnly sites making use of Command Centre to send emails are affected. \n\n\n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eImproper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. \u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003eThis issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), \u0026nbsp;all version of 8.60 and prior.\u003c/span\u003e\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "\nImproper neutralization of special elements in output (CWE-74) used by the email generation feature of the Command Centre Server could lead to HTML code injection in emails generated by Command Centre. \n\nThis issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), \u00a0all version of 8.60 and prior.\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-05T03:11:55.586Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-21838"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2024-21838",
"datePublished": "2024-03-05T03:11:55.586Z",
"dateReserved": "2024-02-05T04:16:47.986Z",
"dateUpdated": "2024-08-01T22:27:36.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23584 (GCVE-0-2023-23584)
Vulnerability from cvelistv5
Published
2023-12-18 21:59
Modified
2024-08-02 10:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-204 - Observable Response Discrepancy
Summary
An observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently-privileged user to infer the presence of items that would not otherwise be viewable.
This issue affects: Gallagher Command Centre 8.70 prior to vEL8.70.1787 (MR2), 8.60 prior to vEL8.60.2039 (MR4), all version of 8.50 and prior.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gallagher | Command Centre Server |
Version: 0 < Version: 8.70 < 8.70.1787 (MR2) Version: 8.60 < 8.60.2039 (MR4) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.gallagher.com/Security-Advisories/CVE-2023-23584"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Command Centre Server",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "8.50",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.70.1787 (MR2)",
"status": "affected",
"version": "8.70",
"versionType": "custom"
},
{
"lessThan": "8.60.2039 (MR4)",
"status": "affected",
"version": "8.60",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently-privileged user to infer the presence of items that would not otherwise be viewable. \u003cbr\u003e\u003cbr\u003eThis issue affects: Gallagher Command Centre \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.70 prior to vEL8.70.1787 (MR2), 8.60 prior to vEL8.60.2039 (MR4), all version of 8.50 and prior.\u003c/span\u003e\n\n"
}
],
"value": "\nAn observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently-privileged user to infer the presence of items that would not otherwise be viewable. \n\nThis issue affects: Gallagher Command Centre 8.70 prior to vEL8.70.1787 (MR2), 8.60 prior to vEL8.60.2039 (MR4), all version of 8.50 and prior.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-18T21:59:58.271Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/Security-Advisories/CVE-2023-23584"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2023-23584",
"datePublished": "2023-12-18T21:59:58.271Z",
"dateReserved": "2023-02-03T20:38:05.261Z",
"dateUpdated": "2024-08-02T10:35:33.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23576 (GCVE-0-2023-23576)
Vulnerability from cvelistv5
Published
2023-12-18 21:59
Modified
2024-08-02 10:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-696 - Incorrect Behavior Order
Summary
Incorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision.
This issue affects: Gallagher Command Centre: 8.90 prior to vEL8.90.1620 (MR2), 8.80 prior to vEL8.80.1369 (MR3), 8.70 prior to vEL8.70.2375 (MR5), 8.60 prior to vEL8.60.2550 (MR7), all versions of 8.50 and prior.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gallagher | Command Centre Server |
Version: 0 < Version: 8.90 < 8.90.1620 (MR2) Version: 8.80 < 8.80.1369 (MR3) Version: 8.70 < 8.70.2375 (MR5) Version: 8.60 < 8.60.2550 (MR7) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.gallagher.com/Security-Advisories/CVE-2023-23576"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Command Centre Server",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "8.50",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.90.1620 (MR2)",
"status": "affected",
"version": "8.90",
"versionType": "custom"
},
{
"lessThan": "8.80.1369 (MR3)",
"status": "affected",
"version": "8.80",
"versionType": "custom"
},
{
"lessThan": "8.70.2375 (MR5)",
"status": "affected",
"version": "8.70",
"versionType": "custom"
},
{
"lessThan": "8.60.2550 (MR7)",
"status": "affected",
"version": "8.60",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIncorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision. \u003cbr\u003e\u003cbr\u003eThis issue affects: Gallagher Command Centre: 8.90 prior to vEL8.90.1620 (MR2), 8.80 prior to vEL8.80.1369 (MR3), 8.70 prior to vEL8.70.2375 (MR5), 8.60 prior to vEL8.60.2550 (MR7), all versions of 8.50 and prior.\u003c/span\u003e\n\n"
}
],
"value": "\nIncorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision. \n\nThis issue affects: Gallagher Command Centre: 8.90 prior to vEL8.90.1620 (MR2), 8.80 prior to vEL8.80.1369 (MR3), 8.70 prior to vEL8.70.2375 (MR5), 8.60 prior to vEL8.60.2550 (MR7), all versions of 8.50 and prior.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696: Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-18T21:59:38.164Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/Security-Advisories/CVE-2023-23576"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2023-23576",
"datePublished": "2023-12-18T21:59:38.164Z",
"dateReserved": "2023-02-03T20:38:05.225Z",
"dateUpdated": "2024-08-02T10:35:33.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21815 (GCVE-0-2024-21815)
Vulnerability from cvelistv5
Published
2024-03-05 03:09
Modified
2024-08-01 22:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-522 - Insufficiently Protected Credentials
Summary
Insufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Centre Server are accessible to authenticated but unprivileged users.
This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gallagher | Command Centre Server |
Version: 0 < Version: 9.00 < vEL9.00.1774 (MR2) Version: 8.90 < vEL8.90.1751 (MR3) Version: 8.80 < vEL8.80.1526 (MR4) Version: 8.70 < vEL8.70.2526 (MR6) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T16:09:09.796526Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:38:15.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.gallagher.com/Security-Advisories/CVE-2024-21815"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Command Centre Server",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "8.60",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vEL9.00.1774 (MR2)",
"status": "affected",
"version": "9.00",
"versionType": "custom"
},
{
"lessThan": "vEL8.90.1751 (MR3)",
"status": "affected",
"version": "8.90",
"versionType": "custom"
},
{
"lessThan": "vEL8.80.1526 (MR4)",
"status": "affected",
"version": "8.80",
"versionType": "custom"
},
{
"lessThan": "vEL8.70.2526 (MR6)",
"status": "affected",
"version": "8.70",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOnly sites with DVR integrations are affected. \u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nOnly sites with DVR integrations are affected. \n\n\n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInsufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Centre Server are accessible to authenticated but unprivileged users. \u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), \u0026nbsp;all version of 8.60 and prior.\u003c/span\u003e\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "\nInsufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Centre Server are accessible to authenticated but unprivileged users. \n\nThis issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), \u00a0all version of 8.60 and prior.\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-05T03:09:52.505Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/Security-Advisories/CVE-2024-21815"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2024-21815",
"datePublished": "2024-03-05T03:09:52.505Z",
"dateReserved": "2024-02-05T04:16:48.019Z",
"dateUpdated": "2024-08-01T22:27:36.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46406 (GCVE-0-2025-46406)
Vulnerability from cvelistv5
Published
2025-07-10 03:10
Modified
2025-07-10 20:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-270 - Privilege Context Switching Error
Summary
A Privilege Context Switching Error (CWE-270) in the Command Center Server could allow a privileged Operator with high level access in one Division to perform limited privileged activities across the Division boundary.
This issue affects Command Centre Server:
9.30 prior to 9.30.1874 (MR1), 9.20 prior to 9.20.2337 (MR3), 9.10 prior to 9.10.3194 (MR6), 9.00 prior to 9.00.3371 (MR7), all versions of 8.90 and prior.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gallagher | Command Centre Server |
Version: 0 < Version: 9.30 < 9.30.1874 (MR1) Version: 9.20 < 9.20.2337 (MR3) Version: 9.10 < 9.10.3194 (MR6) Version: 9.00 < 9.00.3371 (MR7) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T20:02:21.159913Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T20:02:29.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Command Centre Server",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "8.90",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "9.30.1874 (MR1)",
"status": "affected",
"version": "9.30",
"versionType": "custom"
},
{
"lessThan": "9.20.2337 (MR3)",
"status": "affected",
"version": "9.20",
"versionType": "custom"
},
{
"lessThan": "9.10.3194 (MR6)",
"status": "affected",
"version": "9.10",
"versionType": "custom"
},
{
"lessThan": "9.00.3371 (MR7)",
"status": "affected",
"version": "9.00",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA Privilege Context Switching Error (CWE-270) in the Command Center Server could allow a privileged Operator with high level access in one Division to perform limited privileged activities across the Division boundary.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects Command Centre Server: \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.30 prior to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.30.1874\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;(MR1), 9.20 prior to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.20.2337\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;(MR3), 9.10 prior to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.10.3194\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;(MR6), \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.00 prior to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.00.3371\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;(MR7), \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eall versions of 8.90 and prior.\u003c/span\u003e\n\n\u003c/p\u003e"
}
],
"value": "A Privilege Context Switching Error (CWE-270) in the Command Center Server could allow a privileged Operator with high level access in one Division to perform limited privileged activities across the Division boundary.\n\nThis issue affects Command Centre Server: \n\n9.30 prior to 9.30.1874\u00a0(MR1), 9.20 prior to 9.20.2337\u00a0(MR3), 9.10 prior to 9.10.3194\u00a0(MR6), 9.00 prior to 9.00.3371\u00a0(MR7), all versions of 8.90 and prior."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-270",
"description": "CWE-270 Privilege Context Switching Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T03:10:03.557Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-46406"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2025-46406",
"datePublished": "2025-07-10T03:10:03.557Z",
"dateReserved": "2025-06-17T02:18:59.193Z",
"dateUpdated": "2025-07-10T20:02:29.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43690 (GCVE-0-2024-43690)
Vulnerability from cvelistv5
Published
2024-09-11 04:04
Modified
2024-09-11 18:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Summary
Inclusion of Functionality from Untrusted Control Sphere(CWE-829) in the Command Centre Server and Workstations may allow an attacker to perform Remote Code Execution (RCE).
This issue affects: Command Centre Server and Command Centre Workstations 9.10 prior to vEL9.10.1530 (MR2), 9.00 prior to vEL9.00.2168 (MR4), 8.90 prior to vEL8.90.2155 (MR5), 8.80 prior to vEL8.80.1938 (MR6), all versions of 8.70 and prior.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gallagher | Command Centre Server |
Version: 0 < Version: 9.10 < vEL9.10.1530(MR2) Version: 9.00 < vEL9.00.2168 (MR4) Version: 8.90 < vEL8.90.2155 (MR5) Version: 8.80 < vEL8.80.1938 (MR6) |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gallagher:command_centre:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "command_centre",
"vendor": "gallagher",
"versions": [
{
"lessThanOrEqual": "8.70",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.10.1530(mr2)",
"status": "affected",
"version": "9.10",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.00.2168(mr4)",
"status": "affected",
"version": "9.00",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.90.2155(mr5)",
"status": "affected",
"version": "8.90",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.80.1938(mr6)",
"status": "affected",
"version": "8.80",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43690",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:20:31.031982Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:34:36.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Command Centre Server",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "8.70",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vEL9.10.1530(MR2)",
"status": "affected",
"version": "9.10",
"versionType": "custom"
},
{
"lessThan": "vEL9.00.2168 (MR4)",
"status": "affected",
"version": "9.00",
"versionType": "custom"
},
{
"lessThan": "vEL8.90.2155 (MR5)",
"status": "affected",
"version": "8.90",
"versionType": "custom"
},
{
"lessThan": "vEL8.80.1938 (MR6)",
"status": "affected",
"version": "8.80",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInclusion of Functionality from Untrusted Control Sphere(CWE-829) in the Command Centre Server and Workstations may allow an attacker to perform Remote Code Execution (RCE).\u003c/span\u003e\n\n\u003cp\u003e\u003cb\u003eThis issue affects:\u003c/b\u003e Command Centre Server and Command Centre Workstations\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.10 prior to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003evEL9.10.1530 (MR2), \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.00 prior to \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003evEL9.00.2168 (MR4), \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.90 prior to vEL8.90.2155 (MR5), \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e8.80 prior to vEL8.80.1938 (MR6), \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eall versions of 8.70 and prior.\u003c/span\u003e\n\n\u003c/p\u003e"
}
],
"value": "Inclusion of Functionality from Untrusted Control Sphere(CWE-829) in the Command Centre Server and Workstations may allow an attacker to perform Remote Code Execution (RCE).\n\nThis issue affects: Command Centre Server and Command Centre Workstations\u00a09.10 prior to vEL9.10.1530 (MR2), 9.00 prior to vEL9.00.2168 (MR4), 8.90 prior to vEL8.90.2155 (MR5), 8.80 prior to vEL8.80.1938 (MR6), all versions of 8.70 and prior."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T04:04:19.129Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-43690"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2024-43690",
"datePublished": "2024-09-11T04:04:19.129Z",
"dateReserved": "2024-08-28T02:46:11.119Z",
"dateUpdated": "2024-09-11T18:34:36.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}