File Type Validation Bypass in Halo Website Builder
CVE-2024-56156

5.5MEDIUM

Key Information:

Vendor

Halo-dev

Status
Halo
Vendor
CVE Published:
25 April 2025

What is CVE-2024-56156?

Halo, an open-source website building tool, contains a vulnerability that allows attackers to bypass file type validation controls. This serious flaw enables the uploading of malicious files, such as executables and HTML files, potentially resulting in stored cross-site scripting attacks and remote code execution under specific conditions. This issue was addressed in the patch released in version 2.20.13, reinforcing the importance of keeping your software up to date.

Affected Version(s)

halo < 2.20.13

References

https://github.com/halo-dev/halo/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/halo-dev/halo/pull/7149
x_refsource_MISC
https://github.com/halo-dev/halo/commit/24f8d7b57127e2607...
x_refsource_MISC

CVSS V4

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.