PT-2019-14847 · Halo · Halo

Jack01

·

Publicado

2019-09-25

·

Atualizado

2019-09-26

·

CVE-2019-16890

CVSS v3.1

5.4

Média

VetorAV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Halo version 1.1.0
Description The issue allows for XSS via a crafted authorUrl in JSON data to the "api/content/posts/comments" API endpoint.
Recommendations For Halo version 1.1.0, avoid using the authorUrl variable in the "api/content/posts/comments" API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2019-16890

Produtos afetados

Halo