Vulnerabilities > Halo

DATE CVE VULNERABILITY TITLE RISK
2020-09-30 CVE-2020-21527 Path Traversal vulnerability in Halo 1.1.3
There is an Arbitrary file deletion vulnerability in halo v1.1.3.
network
low complexity
halo CWE-22
8.5
2020-09-30 CVE-2020-21526 Path Traversal vulnerability in Halo 1.1.3
An Arbitrary file writing vulnerability in halo v1.1.3.
network
low complexity
halo CWE-22
7.5
2020-09-30 CVE-2020-21525 Path Traversal vulnerability in Halo 1.1.3
Halo V1.1.3 is affected by: Arbitrary File reading.
network
low complexity
halo CWE-22
5.0
2020-09-30 CVE-2020-21524 XXE vulnerability in Halo 1.1.3
There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/admin/migrations/wordpress) needs to parse the xml file, but it is not used for security defense, This vulnerability can detect the intranet, read files, enable ddos attacks, etc.
network
low complexity
halo CWE-611
6.4
2020-09-30 CVE-2020-21523 Injection vulnerability in Halo 1.1.3
A Server-Side Freemarker template injection vulnerability in halo CMS v1.1.3 In the Edit Theme File function.
network
low complexity
halo CWE-74
critical
10.0
2020-09-30 CVE-2020-21522 Path Traversal vulnerability in Halo 1.1.3
An issue was discovered in halo V1.1.3.
network
low complexity
halo CWE-22
7.5
2020-08-26 CVE-2020-19007 Cross-site Scripting vulnerability in Halo 1.2.0
Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments.
network
halo CWE-79
3.5
2019-12-26 CVE-2019-19999 Server-Side Request Forgery (SSRF) vulnerability in Halo
Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.
network
low complexity
halo CWE-918
6.5
2019-09-25 CVE-2019-16890 Cross-site Scripting vulnerability in Halo 1.1.0
Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments.
network
halo CWE-79
3.5
2018-05-12 CVE-2018-11012 Cross-site Scripting vulnerability in Halo 0.0.2
ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java.
network
halo CWE-79
4.3