ByteOS Network

Vulnerability Details :

CVE-2022-22125

Assigner-Mend

Assigner Org ID-478c68dd-22c1-4a41-97cd-654224dfacff

Published At-13 Jan, 2022 | 16:45

Updated At-17 Sep, 2024 | 04:20

Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Tag

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article tag. An authenticated admin attacker can inject arbitrary javascript code that will execute on a victim’s server.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Mend

Assigner Org ID:478c68dd-22c1-4a41-97cd-654224dfacff

Published At:13 Jan, 2022 | 16:45

Updated At:17 Sep, 2024 | 04:20

▼CVE Numbering Authority (CNA)

Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Tag

Affected Products

Vendor

Halo (FIT2CLOUD Inc.)

Product

halo

Versions

Affected

From v1.0.0 before unspecified (custom)
From unspecified through v1.4.17 (custom)

unknown

From next of v1.4.17 before unspecified (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-79	CWE-79 Cross-site Scripting (XSS)

Type: CWE

CWE ID: CWE-79

Description: CWE-79 Cross-site Scripting (XSS)

Metrics

Version	Base score	Base severity	Vector
3.1	4.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Version: 3.1

Base score: 4.8

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Credits

WhiteSource Vulnerability Research Team (WVR)

References

Hyperlink	Resource
https://github.com/halo-dev/halo/issues/1557	x_refsource_MISC
https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L500	x_refsource_MISC
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22125	x_refsource_MISC

Hyperlink: https://github.com/halo-dev/halo/issues/1557

Resource:

x_refsource_MISC

Hyperlink: https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L500

Resource:

x_refsource_MISC

Hyperlink: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22125

Resource:

x_refsource_MISC

▼Authorized Data Publishers (ADP)

CVE Program Container

References

Hyperlink	Resource
https://github.com/halo-dev/halo/issues/1557	x_refsource_MISC x_transferred
https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L500	x_refsource_MISC x_transferred
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22125	x_refsource_MISC x_transferred

Hyperlink: https://github.com/halo-dev/halo/issues/1557

Resource:

x_refsource_MISC

x_transferred

Hyperlink: https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L500

Resource:

x_refsource_MISC

x_transferred

Hyperlink: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22125

Resource:

x_refsource_MISC

x_transferred

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:vulnerabilitylab@mend.io

Published At:13 Jan, 2022 | 17:15

Updated At:20 Jan, 2022 | 14:46

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	4.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary	2.0	3.5	LOW	AV:N/AC:M/Au:S/C:N/I:P/A:N

Type: Primary

Version: 3.1

Base score: 4.8

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Type: Primary

Version: 2.0

Base score: 3.5

Base severity: LOW

Vector:

AV:N/AC:M/Au:S/C:N/I:P/A:N

CPE Matches

Halo (FIT2CLOUD Inc.)

>>halo>>Versions from 1.0.0(inclusive) to 1.4.17(inclusive)

cpe:2.3:a:halo:halo:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-79	Primary	vulnerabilitylab@mend.io

CWE ID: CWE-79

Type: Primary

Source: vulnerabilitylab@mend.io

References

Hyperlink	Source	Resource
https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L500	vulnerabilitylab@mend.io	Exploit Third Party Advisory
https://github.com/halo-dev/halo/issues/1557	vulnerabilitylab@mend.io	Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22125	vulnerabilitylab@mend.io	Exploit Third Party Advisory

Hyperlink: https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L500

Source: vulnerabilitylab@mend.io

Resource:

Exploit

Third Party Advisory

Hyperlink: https://github.com/halo-dev/halo/issues/1557

Source: vulnerabilitylab@mend.io

Resource:

Third Party Advisory

Hyperlink: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22125

Source: vulnerabilitylab@mend.io

Resource:

Exploit

Third Party Advisory

CVE-2022-22125

Credits

Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Tag

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

unknown

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs