Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function.
CVSS Score
7.5
EPSS Score
0.002
Published
2022-04-05
In halo 1.4.14, the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS vulnerability.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-03-24
In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article tag. An authenticated admin attacker can inject arbitrary javascript code that will execute on a victim’s server.
CVSS Score
4.8
EPSS Score
0.004
Published
2022-01-13
Cross Sie Scripting (XSS) vulnerability in Halo 0.4.3 via CommentAuthorUrl.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-07-12
Incorrect Access Control vulnearbility in Halo 0.4.3, which allows a malicious user to bypass encrption to view encrpted articles via cookies.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-07-12
File Deletion vulnerability in Halo 0.4.3 via delBackup.
CVSS Score
9.1
EPSS Score
0.003
Published
2021-07-12
SSRF vulnerability in Halo <=1.3.2 exists in the SMTP configuration, which can detect the server intranet.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-07-12
Remote Code Executon vulnerability in Halo 0.4.3 via the remoteAddr and themeName parameters.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-07-12
Cross Siste Scripting (XSS) vulnerablity in Halo 0.4.3 via the X-forwarded-for Header parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-07-12
Cross Site Scripting (XSS) vulnerability in Halo 1.1.3 via post publish components in the manage panel, which lets a remote malicious user execute arbitrary code.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-05-20