Vulnerabilities > Halo

DATE CVE VULNERABILITY TITLE RISK
2021-07-12 CVE-2020-23079 Server-Side Request Forgery (SSRF) vulnerability in Halo
SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet.
network
low complexity
halo CWE-918
5.0
2021-07-12 CVE-2020-19038 Missing Authorization vulnerability in Halo 0.4.3
File Deletion vulnerability in Halo 0.4.3 via delBackup.
network
low complexity
halo CWE-862
6.4
2021-07-12 CVE-2020-19037 Improper Authentication vulnerability in Halo 0.4.3
Incorrect Access Control vulnearbility in Halo 0.4.3, which allows a malicious user to bypass encrption to view encrpted articles via cookies.
network
low complexity
halo CWE-287
5.0
2021-07-12 CVE-2020-18982 Cross-site Scripting vulnerability in Halo 0.4.3
Cross Sie Scripting (XSS) vulnerability in Halo 0.4.3 via CommentAuthorUrl.
network
halo CWE-79
3.5
2021-07-12 CVE-2020-18980 Unspecified vulnerability in Halo 0.4.3
Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters.
network
low complexity
halo
7.5
2021-07-12 CVE-2020-18979 Cross-site Scripting vulnerability in Halo 0.4.3
Cross Siste Scripting (XSS) vulnerablity in Halo 0.4.3 via the X-forwarded-for Header parameter.
network
halo CWE-79
4.3
2021-05-20 CVE-2020-21345 Cross-site Scripting vulnerability in Halo 1.1.3
Cross Site Scripting (XSS) vulnerability in Halo 1.1.3 via post publish components in the manage panel, which lets a remote malicious user execute arbitrary code.
network
halo CWE-79
4.3
2020-09-30 CVE-2020-21522 Path Traversal vulnerability in Halo 1.1.3
An issue was discovered in halo V1.1.3.
network
low complexity
halo CWE-22
7.5
2020-09-30 CVE-2020-21523 Injection vulnerability in Halo 1.1.3
A Server-Side Freemarker template injection vulnerability in halo CMS v1.1.3 In the Edit Theme File function.
network
low complexity
halo CWE-74
critical
10.0
2020-09-30 CVE-2020-21524 XXE vulnerability in Halo 1.1.3
There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/admin/migrations/wordpress) needs to parse the xml file, but it is not used for security defense, This vulnerability can detect the intranet, read files, enable ddos attacks, etc.
network
low complexity
halo CWE-611
6.4