PT-2022-11880 · Halo · Halo

Published

2022-03-24

Updated

2022-03-29

CVE-2021-43659

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions halo version 1.4.14

Description The issue allows any file to be uploaded, such as an HTML file, through the avatar upload function, resulting in a stored XSS vulnerability.

Recommendations For halo version 1.4.14, consider disabling the avatar upload function until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to uploaded files to minimize the risk of stored XSS attacks. Avoid using the avatar upload feature until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-43659

Affected Products

Halo

PT-2022-11880 · Halo · Halo

CVE-2021-43659

Weakness Enumeration

Related Identifiers

Affected Products

References · 4