Any-How

**Name of the Vulnerable Software and Affected Versions** halo version 1.1.3 **Description** An issue was discovered in the backend of the software, allowing for a Zip Slip Directory Traversal. This enables an attacker to overwrite certain files, including ftl files and .bashrc files in the user directory, potentially leading to the acquisition of operating system permissions. **Recommendations** For version 1.1.3, consider restricting access to the backend to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the vulnerable functionality in the backend that allows for file overwrites.

**Name of the Vulnerable Software and Affected Versions** halo CMS version 1.1.3 **Description** A Server-Side Freemarker template injection issue exists in the Edit Theme File function, where the ftl file can be edited. This Freemarker template file can cause arbitrary code execution when rendered in the background. An example of exploitation is through the assignment and execution of a specific command, such as creating a file named "freemarkerPwned" in the /tmp directory. **Recommendations** For halo CMS version 1.1.3, as a temporary workaround, consider restricting access to the Edit Theme File function to minimize the risk of exploitation. Additionally, avoid editing the ftl file directly until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** halo version 1.1.3 **Description** The issue is related to a XML external entity (XXE) vulnerability. It affects the function of importing other blogs in the background, specifically through the `/api/admin/migrations/wordpress` endpoint, which parses XML files without proper security defenses. This vulnerability can be exploited to detect intranet settings, read files, and potentially enable DDoS attacks. **Recommendations** For halo version 1.1.3, as a temporary workaround, consider disabling the XML parsing function in the `/api/admin/migrations/wordpress` endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using this endpoint for importing blogs from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** halo version 1.1.3 **Description** The issue concerns an arbitrary file writing vulnerability. It involves a directory traversal check on the input `path` parameter in an interface designed to write files in the background. However, this check can be bypassed using the `startsWith` function. **Recommendations** For version 1.1.3, consider restricting access to the file writing interface until a patch is available. As a temporary workaround, review and validate all input paths to prevent directory traversal attacks.

**Name of the Vulnerable Software and Affected Versions** halo version 1.1.3 **Description** The issue allows a user to delete any files on the system through directory traversal when deleting their backup files, due to a backup function in the background. **Recommendations** For halo version 1.1.3, consider restricting the backup function's access to file deletion until a patch is available. As a temporary workaround, restrict access to the backup module to minimize the risk of exploitation.