CVE-2019-19999
https://notcve.org/view.php?id=CVE-2019-19999
Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration. Halo en versiones anteriores a la 1.2.0-beta.1 permite la inyección de plantillas del lado del servidor (SSTI) porque TemplateClassResolver.SAFER_RESOLVER no se utiliza en la configuración de FreeMarker. • https://github.com/halo-dev/halo/compare/v1.1.3-beta.2...v1.2.0-beta.1 https://github.com/halo-dev/halo/issues/419 https://github.com/halo-dev/halo/issues/440 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2019-16890
https://notcve.org/view.php?id=CVE-2019-16890
Halo 1.1.0 has XSS via a crafted authorUrl in JSON data to api/content/posts/comments. Halo versiones 1.1.0 presenta una vulnerabilidad de tipo XSS por medio de un authorUrl diseñado en datos JSON en el archivo api/content/posts/comments. • https://github.com/halo-dev/halo/issues/311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-11012
https://notcve.org/view.php?id=CVE-2018-11012
ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java. ruibaby Halo 0.0.2 tiene Cross-Site Scripting (XSS) persistente mediante los parámetros loginName y loginPwd en un intento fallido de inicio de sesión en AdminController.java. • https://github.com/ruibaby/halo/issues/9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-11011
https://notcve.org/view.php?id=CVE-2018-11011
ruibaby Halo 0.0.2 has stored XSS via the commentAuthor field to FrontCommentController.java. ruibaby Halo 0.0.2 tiene Cross-Site Scripting (XSS) persistente mediante el campo commentAuthor en FrontCommentController.java. • https://github.com/ruibaby/halo/issues/9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •