[hfe_template id='1680'] CVE-2024-6201 - Emailing Template Injection | HALO

CVE-2024-6201 – Emailing Template Injection

General Information

This article contains frequently asked questions relating to the emailing template injection vulnerability affecting Halo versions up to 2.143.21.
Users with the permission to open tickets may embed variables that may subsequently be resolved by the emailing template engine. This might lead to the leakage of variables and custom field values via emails.

Are hosted Halo instances affected?

Hosted customers have been automatically updated to a patch to resolve this issue, and therefore no action is required by hosted customers. The patch was released on 2024-03-12 and hosted customers were upgraded shortly afterwards.

Are on-premises Halo instances affected?

Halo on-premises installations should apply the latest stable or beta patch to their Halo instance to resolve this issue.

  • Any version >= 2.143.21

Next Steps

No action is required on the part of our customers.

We will continue to monitor our business infrastructure to ensure the same level of service and security that you expect.

[hfe_template id='2416']