Vulnerabilities > Halo

DATE CVE VULNERABILITY TITLE RISK
2020-08-26 CVE-2020-19007 Cross-site Scripting vulnerability in Halo 1.2.0
Halo blog 1.2.0 allows users to submit comments on blog posts via /api/content/posts/comments.
network
low complexity
halo CWE-79
5.4
2019-12-26 CVE-2019-19999 Server-Side Request Forgery (SSRF) vulnerability in Halo
Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.
network
low complexity
halo CWE-918
7.2
2019-09-25 CVE-2019-16890 Cross-site Scripting vulnerability in Halo 1.1.0
Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments.
network
low complexity
halo CWE-79
5.4
2018-05-12 CVE-2018-11012 Cross-site Scripting vulnerability in Halo 0.0.2
ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java.
network
low complexity
halo CWE-79
6.1
2018-05-12 CVE-2018-11011 Cross-site Scripting vulnerability in Halo 0.0.2
ruibaby Halo 0.0.2 has stored XSS via the commentAuthor field to FrontCommentController.java.
network
low complexity
halo CWE-79
6.1