Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.
CVSS Score
7.2
EPSS Score
0.004
Published
2019-12-26
Page 2