Halo Security Vulnerabilities

CVE-2023-27164

An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md...

CVE-2022-36784

Elsight – Elsight Halo Remote Code Execution (RCE) Elsight Halo web panel allows us to perform connection validation. through the POST request : /api/v1/nics/wifi/wlan0/ping we can abuse DESTINATION parameter and leverage it to remote code...

CVE-2022-32994

Halo CMS v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the component...

CVE-2022-32995

Halo CMS v1.5.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the template remote download...

CVE-2022-28074

Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via...

CVE-2022-26619

Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload...

CVE-2021-43659

In halo 1.4.14, the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS...

CVE-2022-22125

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article tag. An authenticated admin attacker can inject arbitrary javascript code that will execute on a victim’s...

CVE-2022-22123

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim’s...

CVE-2022-22124

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s...