Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

halo-dev

Source -

CNA

BOS Name -

Halo (FIT2CLOUD Inc.)

CNA CVEs -

6

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
6Vulnerabilities found
CVE-2024-56156
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.42% / 60.90%
||
7 Day CHG+0.09%
Published-25 Apr, 2025 | 15:08
Updated-29 Apr, 2025 | 13:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Halo Vulnerable to Stored XSS and RCE via File Upload Bypass

Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious files including executables and HTML files, which can lead to stored cross-site scripting attacks and potential remote code execution under certain circumstances. This issue has been patched in version 2.20.13.

Action-Not Available
Vendor-Halo (FIT2CLOUD Inc.)
Product-halo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-43793
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.11% / 30.24%
||
7 Day CHG~0.00%
Published-11 Sep, 2024 | 14:37
Updated-16 Sep, 2024 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Halo's editor has a stored XSS vulnerability

Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. This vulnerability is fixed in 2.19.0.

Action-Not Available
Vendor-Halo (FIT2CLOUD Inc.)
Product-halohalohalo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-43792
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.21% / 43.83%
||
7 Day CHG~0.00%
Published-02 Sep, 2024 | 16:15
Updated-16 Sep, 2024 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Halo's editor has a stored Cross-Site Scripting vulnerability

Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. Users are advised to upgrade to version 2.17.0+. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-Halo (FIT2CLOUD Inc.)
Product-halohalohalo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-22125
Assigner-Mend
ShareView Details
Assigner-Mend
CVSS Score-4.8||MEDIUM
EPSS-0.42% / 61.03%
||
7 Day CHG~0.00%
Published-13 Jan, 2022 | 16:45
Updated-17 Sep, 2024 | 04:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Tag

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article tag. An authenticated admin attacker can inject arbitrary javascript code that will execute on a victim’s server.

Action-Not Available
Vendor-Halo (FIT2CLOUD Inc.)
Product-halohalo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-22124
Assigner-Mend
ShareView Details
Assigner-Mend
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 49.46%
||
7 Day CHG~0.00%
Published-13 Jan, 2022 | 16:45
Updated-17 Sep, 2024 | 02:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Halo CMS - Stored Cross-Site Scripting (XSS) in Profile Image

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s browser.

Action-Not Available
Vendor-Halo (FIT2CLOUD Inc.)FIT2CLOUD Inc.
Product-halohalo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-22123
Assigner-Mend
ShareView Details
Assigner-Mend
CVSS Score-5.4||MEDIUM
EPSS-0.22% / 44.99%
||
7 Day CHG~0.00%
Published-13 Jan, 2022 | 16:45
Updated-17 Sep, 2024 | 01:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Title

In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim’s server.

Action-Not Available
Vendor-Halo (FIT2CLOUD Inc.)FIT2CLOUD Inc.
Product-halohalo
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')