CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56156 – Halo Vulnerable to Stored XSS and RCE via File Upload Bypass
https://notcve.org/view.php?id=CVE-2024-56156
25 Apr 2025 — Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious files including executables and HTML files, which can lead to stored cross-site scripting attacks and potential remote code execution under certain circumstances. This issue has been patched in version 2.20.13. • https://github.com/halo-dev/halo/security/advisories/GHSA-99mc-ch53-pqh9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43793 – Halo's editor has a stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2024-43793
11 Sep 2024 — Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. This vulnerability is fixed in 2.19.0. • https://github.com/halo-dev/halo/security/advisories/GHSA-28x9-hppj-m537 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43792 – Halo's editor has a stored Cross-Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2024-43792
02 Sep 2024 — Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. Users are advised to upgrade to version 2.17.0+. There are no known workarounds for this vulnerability. • https://github.com/halo-dev/halo/security/advisories/GHSA-x3rj-3x75-vw4g • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6203 – HaloITSM - Password Reset Poisoning
https://notcve.org/view.php?id=CVE-2024-6203
06 Aug 2024 — HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users (given their email address is known). When these poisoned links get accessed (e.g. manually by the victim or automatically by an email client software), the password reset token is leaked to the malicious actor, allowing them to set a new password for the victim's account.This potentially leads to account takeover attacks.HaloITSM versions past 2.146.... • https://haloitsm.com/guides/article/?kbid=2155 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6202 – HaloITSM - SAML XML Signature Wrapping (XSW)
https://notcve.org/view.php?id=CVE-2024-6202
06 Aug 2024 — HaloITSM versions up to 2.146.1 are affected by a SAML XML Signature Wrapping (XSW) vulnerability. When having a SAML integration configured, anonymous actors could impersonate arbitrary HaloITSM users by just knowing their email address. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability. Las versiones de HaloITSM hasta 2.146.1 se ven afectadas por una vulnerabilidad SAML XML Signature Wrapping (XSW). Al tener configurada una integración SAML, los actores a... • https://haloitsm.com/guides/article/?kbid=2154 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6201 – HaloITSM - Emailing Template Injection
https://notcve.org/view.php?id=CVE-2024-6201
06 Aug 2024 — HaloITSM versions up to 2.146.1 are affected by a Template Injection vulnerability within the engine used to generate emails. This can lead to the leakage of potentially sensitive information. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability. Las versiones de HaloITSM hasta la 2.146.1 se ven afectadas por una vulnerabilidad de inyección de plantilla dentro del motor utilizado para generar correos electrónicos. Esto puede provocar la filtración de informaci... • https://haloitsm.com/guides/article/?kbid=2153 •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6200 – HaloITSM - Stored Cross-Site Scripting in Tickets
https://notcve.org/view.php?id=CVE-2024-6200
06 Aug 2024 — HaloITSM versions up to 2.146.1 are affected by a Stored Cross-Site Scripting (XSS) vulnerability. The injected JavaScript code can execute arbitrary action on behalf of the user accessing a ticket. HaloITSM versions past 2.146.1 (and patches starting from 2.143.61 ) fix the mentioned vulnerability. Las versiones de HaloITSM hasta 2.146.1 se ven afectadas por una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado. El código JavaScript inyectado puede ejecutar acciones arbitrarias en nombre del usuario ... • https://haloitsm.com/guides/article/?kbid=2152 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27164
https://notcve.org/view.php?id=CVE-2023-27164
10 Mar 2023 — An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file. • http://halo.com • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2022-32995
https://notcve.org/view.php?id=CVE-2022-32995
27 Jun 2022 — Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download function. Se ha detectado que Halo CMS versión v1.5.3, contiene una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) por medio de la función template remote download • https://github.com/zongdeiqianxing/cve-reports/issues/2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2022-32994
https://notcve.org/view.php?id=CVE-2022-32994
27 Jun 2022 — Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component /api/admin/attachments/upload. Se ha detectado que Halo CMS versión v1.5.3, contiene una vulnerabilidad de carga de archivos arbitraria por medio del componente /api/admin/attachments/upload • https://github.com/zongdeiqianxing/cve-reports/issues/1 • CWE-434: Unrestricted Upload of File with Dangerous Type •