CVE-2024-6200 – HaloITSM - Stored Cross-Site Scripting in Tickets
https://notcve.org/view.php?id=CVE-2024-6200
HaloITSM versions up to 2.146.1 are affected by a Stored Cross-Site Scripting (XSS) vulnerability. The injected JavaScript code can execute arbitrary action on behalf of the user accessing a ticket. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability. Las versiones de HaloITSM hasta 2.146.1 se ven afectadas por una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado. El código JavaScript inyectado puede ejecutar acciones arbitrarias en nombre del usuario que accede a un ticket. • https://haloitsm.com/guides/article/?kbid=2152 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-27164
https://notcve.org/view.php?id=CVE-2023-27164
An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file. • http://halo.com https://gist.github.com/b33t1e/a1a0d81b1173d0d00de8f4e7958dd867 https://github.com/halo-dev/halo https://notes.sjtu.edu.cn/s/s5oEvs-p5 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2022-32995
https://notcve.org/view.php?id=CVE-2022-32995
Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function. Se ha detectado que Halo CMS versión v1.5.3, contiene una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) por medio de la función template remote download • https://github.com/zongdeiqianxing/cve-reports/issues/2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-32994
https://notcve.org/view.php?id=CVE-2022-32994
Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload. Se ha detectado que Halo CMS versión v1.5.3, contiene una vulnerabilidad de carga de archivos arbitraria por medio del componente /api/admin/attachments/upload • https://github.com/zongdeiqianxing/cve-reports/issues/1 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2022-26619
https://notcve.org/view.php?id=CVE-2022-26619
Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function. Se ha detectado que Halo Blog CMS versión v1.4.17, permite a atacantes cargar archivos arbitrarios por medio de la función Attachment Upload • https://github.com/halo-dev/halo/issues/1702 • CWE-434: Unrestricted Upload of File with Dangerous Type •