Ruibaby

**Name of the Vulnerable Software and Affected Versions** Halo versions v1.0.0 through v1.4.17 **Description** The issue concerns Stored Cross-Site Scripting (XSS) in the article title, allowing an authenticated attacker to inject arbitrary javascript code that will execute on a victim’s server. **Recommendations** For versions v1.0.0 through v1.4.17, consider restricting access to the article title feature until a patch is available, and avoid using the article title field for any sensitive operations. As a temporary workaround, consider validating and sanitizing all user input in the article title to prevent the injection of malicious javascript code.

**Name of the Vulnerable Software and Affected Versions** Halo versions v1.0.0 through v1.4.17 **Description** The issue allows an authenticated attacker to upload a carefully crafted SVG file, triggering arbitrary javascript to run on a victim's browser due to Stored Cross-Site Scripting (XSS) in the profile image. **Recommendations** For versions v1.0.0 through v1.4.17, consider disabling the profile image upload feature until a patch is available to prevent exploitation of the Stored Cross-Site Scripting (XSS) vulnerability.

**Name of the Vulnerable Software and Affected Versions** Halo versions v1.0.0 through v1.4.17 **Description** The issue concerns Stored Cross-Site Scripting (XSS) in the article tag, allowing an authenticated admin attacker to inject arbitrary javascript code that will execute on a victim’s server. **Recommendations** For versions v1.0.0 through v1.4.17, consider disabling the article tag functionality until a patch is available to prevent exploitation of the Stored Cross-Site Scripting (XSS) issue.