Vulnerabilities > Halo > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-03-10 CVE-2023-27164 Unrestricted Upload of File with Dangerous Type vulnerability in Halo
An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file.
network
low complexity
halo CWE-434
4.8
2022-04-05 CVE-2022-26619 Unrestricted Upload of File with Dangerous Type vulnerability in Halo 1.4.17
Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function.
network
low complexity
halo CWE-434
5.0
2021-07-12 CVE-2020-19037 Improper Authentication vulnerability in Halo 0.4.3
Incorrect Access Control vulnearbility in Halo 0.4.3, which allows a malicious user to bypass encrption to view encrpted articles via cookies.
network
low complexity
halo CWE-287
5.0
2021-07-12 CVE-2020-23079 Server-Side Request Forgery (SSRF) vulnerability in Halo
SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet.
network
low complexity
halo CWE-918
5.0
2021-07-12 CVE-2020-18979 Cross-site Scripting vulnerability in Halo 0.4.3
Cross Siste Scripting (XSS) vulnerablity in Halo 0.4.3 via the X-forwarded-for Header parameter.
network
halo CWE-79
4.3
2021-05-20 CVE-2020-21345 Cross-site Scripting vulnerability in Halo 1.1.3
Cross Site Scripting (XSS) vulnerability in Halo 1.1.3 via post publish components in the manage panel, which lets a remote malicious user execute arbitrary code.
network
halo CWE-79
4.3
2020-09-30 CVE-2020-21525 Path Traversal vulnerability in Halo 1.1.3
Halo V1.1.3 is affected by: Arbitrary File reading.
network
low complexity
halo CWE-22
5.0
2020-09-30 CVE-2020-21524 XXE vulnerability in Halo 1.1.3
There is a XML external entity (XXE) vulnerability in halo v1.1.3, The function of importing other blogs in the background(/api/admin/migrations/wordpress) needs to parse the xml file, but it is not used for security defense, This vulnerability can detect the intranet, read files, enable ddos attacks, etc.
network
low complexity
halo CWE-611
6.4
2019-12-26 CVE-2019-19999 Server-Side Request Forgery (SSRF) vulnerability in Halo
Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.
network
low complexity
halo CWE-918
6.5
2018-05-12 CVE-2018-11012 Cross-site Scripting vulnerability in Halo 0.0.2
ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java.
network
halo CWE-79
4.3