Command Centre
CVE-2024-21815
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Insufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Centre Server are accessible to authenticated but unprivileged users.
This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior.
AnalysisAI
Insufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Centre Server are accessible to authenticated but unprivileged users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. Insufficiently protected credentials (CWE-522) for third party DVR integrations to the Command Centre Server are accessible to authenticated but unprivileged users. This issue affects: Gallagher Command Centre 9.00 prior to vEL9.00.1774 (MR2), 8.90 prior to vEL8.90.1751 (MR3), 8.80 prior to vEL8.80.1526 (MR4), 8.70 prior to vEL8.70.2526 (MR6), all version of 8.60 and prior. Affected products include: Gallagher Command Centre.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.
More in Command Centre
View allIt is possible to enumerate access card credentials via an unauthenticated network connection to the server in versions
An issue was discovered in Gallagher Command Centre 8.10 before 8.10.1092(MR2). Rated critical severity (CVSS 9.8), this
Improper Authorization vulnerability in Gallagher Command Centre Server allows command line macros to be modified by an
Type confusion in Gallagher Command Centre Server allows a remote attacker to crash the server or possibly cause remote
Improper Authentication vulnerability in Gallagher Command Centre Server allows an unauthenticated remote attacker to cr
Client-Side enforcement of Server-Side security for the Command Centre server could be bypassed and lead to invalid conf
Improper Encoding or Escaping in Gallagher Command Centre Server allows a Command Centre Operator to alter the configura
Unquoted service path vulnerability in the Gallagher Controller Service allows an unprivileged user to execute arbitrary
In Gallagher Command Centre versions 8.10 prior to 8.10.1134(MR4), 8.00 prior to 8.00.1161(MR5), 7.90 prior to 7.90.991(
A stack-based buffer overflow in the Command Centre Server allows an attacker to cause a denial of service attack via as
An Incomplete Comparison with Missing Factors vulnerability in the Gallagher Controller allows an attacker to bypass PIV
It is possible for an unauthenticated remote DCOM websocket connection to crash the Command Centre service due to an out
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today