CVE-2024-56156

Medium CVSS: 5.5

Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious files including executables and HTML files, which can lead to stored cross-site scripting attacks and potential remote code execution under certain circumstances. This issue has been patched in version 2.20.13.

Vendor

Halo

Product

Halo

CWE

CWE-79

Yayın Tarihi

2025-04-25 16:15:25

Güncelleme

2026-02-03 19:16:10

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Halo MEDIUM Halo 2025

Referanslar

https://github.com/halo-dev/halo/commit/24f8d7b57127e2607ec05adb7c912b3decddeb99 https://github.com/halo-dev/halo/pull/7149 https://github.com/halo-dev/halo/security/advisories/GHSA-99mc-ch53-pqh9

Benzer Kayıtlar

High

CVE-2025-70886

An issue in halo v.2.22.4 and before allows a remote attacker to cause a denial of service via a crafted payload to the…

Low

CVE-2025-15141

A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator o…

Medium

CVE-2025-44593

Halo prior to 2.20.13 allows bypassing file type detection and uploading malicious files such as .exe and .html files. S…

Medium

CVE-2025-44595

Halo v2.20.17 and before is vulnerable to Cross Site Scripting (XSS) in /halo_host/archives/{name}.

Critical

CVE-2025-44594

halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/a…