CVE-2020-21524

Name of the Vulnerable Software and Affected Versions halo version 1.1.3

Description The issue is related to a XML external entity (XXE) vulnerability. It affects the function of importing other blogs in the background, specifically through the /api/admin/migrations/wordpress endpoint, which parses XML files without proper security defenses. This vulnerability can be exploited to detect intranet settings, read files, and potentially enable DDoS attacks.

Recommendations For halo version 1.1.3, as a temporary workaround, consider disabling the XML parsing function in the /api/admin/migrations/wordpress endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using this endpoint for importing blogs from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.