Vulnerabilities (CVE)

Filtered by vendor Halo Subscribe
Total 26 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-19999 1 Halo 1 Halo 2024-11-21 6.5 MEDIUM 7.2 HIGH
Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.
CVE-2019-16890 1 Halo 1 Halo 2024-11-21 3.5 LOW 5.4 MEDIUM
Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments.
CVE-2018-11012 1 Halo 1 Halo 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java.
CVE-2018-11011 1 Halo 1 Halo 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
ruibaby Halo 0.0.2 has stored XSS via the commentAuthor field to FrontCommentController.java.
CVE-2024-43793 1 Halo 1 Halo 2024-09-16 N/A 6.4 MEDIUM
Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. This vulnerability is fixed in 2.19.0.
CVE-2024-43792 1 Halo 1 Halo 2024-09-16 N/A 6.1 MEDIUM
Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. Users are advised to upgrade to version 2.17.0+. There are no known workarounds for this vulnerability.