Halo CMS - Stored Cross-Site Scripting (XSS) in Profile Image
CVE-2022-22124

5.4MEDIUM

Key Information:

Vendor

Halo-dev

Status
Halo
Vendor
CVE Published:
13 January 2022

What is CVE-2022-22124?

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s browser.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

halo v1.0.0

halo <= unspecified

References

https://github.com/halo-dev/halo/blob/v1.4.17/src/main/ja...
x_refsource_MISC
https://github.com/halo-dev/halo/issues/1575
x_refsource_MISC
https://www.whitesourcesoftware.com/vulnerability-databas...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

WhiteSource Vulnerability Research Team (WVR)
JSON
.