Vulnerabilities > Halo
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-09-30 | CVE-2020-21527 | Path Traversal vulnerability in Halo 1.1.3 There is an Arbitrary file deletion vulnerability in halo v1.1.3. | 8.5 |
| 2020-09-30 | CVE-2020-21526 | Path Traversal vulnerability in Halo 1.1.3 An Arbitrary file writing vulnerability in halo v1.1.3. | 7.5 |
| 2020-09-30 | CVE-2020-21525 | Path Traversal vulnerability in Halo 1.1.3 Halo V1.1.3 is affected by: Arbitrary File reading. | 5.0 |
| 2020-09-30 | CVE-2020-21524 | XXE vulnerability in Halo 1.1.3 There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/admin/migrations/wordpress) needs to parse the xml file, but it is not used for security defense, This vulnerability can detect the intranet, read files, enable ddos attacks, etc. | 6.4 |
| 2020-09-30 | CVE-2020-21523 | Injection vulnerability in Halo 1.1.3 A Server-Side Freemarker template injection vulnerability in halo CMS v1.1.3 In the Edit Theme File function. | 10.0 |
| 2020-09-30 | CVE-2020-21522 | Path Traversal vulnerability in Halo 1.1.3 An issue was discovered in halo V1.1.3. | 7.5 |
| 2020-08-26 | CVE-2020-19007 | Cross-site Scripting vulnerability in Halo 1.2.0 Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments. | 3.5 |
| 2019-12-26 | CVE-2019-19999 | Server-Side Request Forgery (SSRF) vulnerability in Halo Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration. | 6.5 |
| 2019-09-25 | CVE-2019-16890 | Cross-site Scripting vulnerability in Halo 1.1.0 Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments. | 3.5 |
| 2018-05-12 | CVE-2018-11012 | Cross-site Scripting vulnerability in Halo 0.0.2 ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java. | 4.3 |