Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for Halo by fit2cloud

    CVE-2025-14117 (GCVE-0-2025-14117)

    Vulnerability from nvd – Published: 2025-12-06 05:32 – Updated: 2026-02-24 05:41
    VLAI
    Title
    fit2cloud Halo cross-site request forgery
    Summary
    A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery
    • CWE-862 - Missing Authorization
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.334494 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.334494 signaturepermissions-required
    https://vuldb.com/?submit.697391 third-party-advisory
    https://blksword.flowus.cn/ related
    https://github.com/BlkSword/POC exploit
    Impacted products
    Vendor Product Version
    fit2cloud Halo Affected: 2.21.10
        cpe:2.3:a:fit2cloud:halo:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    XiaoHei (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14117",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T17:07:40.897233Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T17:14:32.795Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/BlkSword/POC"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:fit2cloud:halo:*:*:*:*:*:*:*:*"
              ],
              "product": "Halo",
              "vendor": "fit2cloud",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.21.10"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "XiaoHei (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T05:41:46.084Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-334494 | fit2cloud Halo cross-site request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.334494"
            },
            {
              "name": "VDB-334494 | CTI Indicators (IOB, IOC)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.334494"
            },
            {
              "name": "Submit #697391 | fit2cloud Halo 2.21.10 Cross-Site Request Forgery",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.697391"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://blksword.flowus.cn/"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/BlkSword/POC"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-05T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-12-05T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-12-12T14:05:58.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "fit2cloud Halo cross-site request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-14117",
        "datePublished": "2025-12-06T05:32:06.404Z",
        "dateReserved": "2025-12-05T15:26:46.924Z",
        "dateUpdated": "2026-02-24T05:41:46.084Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-28074 (GCVE-0-2022-28074)

    Vulnerability from nvd – Published: 2022-04-22 13:33 – Updated: 2024-08-03 05:41
    VLAI
    Summary
    Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \admin\index.html#/system/tools.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:41:11.184Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/halo-dev/halo/issues/1769"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \\admin\\index.html#/system/tools."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-22T13:33:49.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/halo-dev/halo/issues/1769"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-28074",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \\admin\\index.html#/system/tools."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/halo-dev/halo/issues/1769",
                  "refsource": "MISC",
                  "url": "https://github.com/halo-dev/halo/issues/1769"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-28074",
        "datePublished": "2022-04-22T13:33:49.000Z",
        "dateReserved": "2022-03-28T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:41:11.184Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22124 (GCVE-0-2022-22124)

    Vulnerability from nvd – Published: 2022-01-13 16:45 – Updated: 2024-09-17 02:42
    VLAI
    Title
    Halo CMS - Stored Cross-Site Scripting (XSS) in Profile Image
    Summary
    In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s browser.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    halo-dev halo Affected: v1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v1.4.17 (custom)
    Unknown: next of v1.4.17 , < unspecified (custom)
    Create a notification for this product.
    Date Public
    2022-01-11 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:07:49.050Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/handler/file/FileHandler.java#L30"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/halo-dev/halo/issues/1575"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22124"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "halo",
              "vendor": "halo-dev",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "v1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v1.4.17",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unknown",
                  "version": "next of v1.4.17",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2022-01-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim\u2019s browser."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-13T16:45:16.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/handler/file/FileHandler.java#L30"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/halo-dev/halo/issues/1575"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22124"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "Halo CMS - Stored Cross-Site Scripting (XSS) in Profile Image",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2022-01-11T23:00:00.000Z",
              "ID": "CVE-2022-22124",
              "STATE": "PUBLIC",
              "TITLE": "Halo CMS - Stored Cross-Site Scripting (XSS) in Profile Image"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "halo",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "v1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v1.4.17"
                              },
                              {
                                "version_affected": "?\u003e",
                                "version_value": "v1.4.17"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "halo-dev"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim\u2019s browser."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/handler/file/FileHandler.java#L30",
                  "refsource": "MISC",
                  "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/handler/file/FileHandler.java#L30"
                },
                {
                  "name": "https://github.com/halo-dev/halo/issues/1575",
                  "refsource": "MISC",
                  "url": "https://github.com/halo-dev/halo/issues/1575"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22124",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22124"
                }
              ]
            },
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2022-22124",
        "datePublished": "2022-01-13T16:45:16.379Z",
        "dateReserved": "2021-12-21T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:42:04.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22123 (GCVE-0-2022-22123)

    Vulnerability from nvd – Published: 2022-01-13 16:45 – Updated: 2024-09-17 01:51
    VLAI
    Title
    Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Title
    Summary
    In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim’s server.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    halo-dev halo Affected: v1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v1.4.17 (custom)
    Unknown: next of v1.4.17 , < unspecified (custom)
    Create a notification for this product.
    Date Public
    2022-01-11 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:07:48.293Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L391"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/halo-dev/halo/issues/1557"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22123"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "halo",
              "vendor": "halo-dev",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "v1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v1.4.17",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unknown",
                  "version": "next of v1.4.17",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2022-01-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim\u2019s server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-13T16:45:14.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L391"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/halo-dev/halo/issues/1557"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22123"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "Halo CMS - Stored Cross-Site Scripting (XSS) in Article\u0027s Title",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2022-01-11T23:00:00.000Z",
              "ID": "CVE-2022-22123",
              "STATE": "PUBLIC",
              "TITLE": "Halo CMS - Stored Cross-Site Scripting (XSS) in Article\u0027s Title"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "halo",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "v1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v1.4.17"
                              },
                              {
                                "version_affected": "?\u003e",
                                "version_value": "v1.4.17"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "halo-dev"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim\u2019s server."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L391",
                  "refsource": "MISC",
                  "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L391"
                },
                {
                  "name": "https://github.com/halo-dev/halo/issues/1557",
                  "refsource": "MISC",
                  "url": "https://github.com/halo-dev/halo/issues/1557"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22123",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22123"
                }
              ]
            },
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2022-22123",
        "datePublished": "2022-01-13T16:45:14.866Z",
        "dateReserved": "2021-12-21T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:51:59.138Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-14117 (GCVE-0-2025-14117)

    Vulnerability from cvelistv5 – Published: 2025-12-06 05:32 – Updated: 2026-02-24 05:41
    VLAI
    Title
    fit2cloud Halo cross-site request forgery
    Summary
    A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery
    • CWE-862 - Missing Authorization
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.334494 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.334494 signaturepermissions-required
    https://vuldb.com/?submit.697391 third-party-advisory
    https://blksword.flowus.cn/ related
    https://github.com/BlkSword/POC exploit
    Impacted products
    Vendor Product Version
    fit2cloud Halo Affected: 2.21.10
        cpe:2.3:a:fit2cloud:halo:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    XiaoHei (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-14117",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T17:07:40.897233Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T17:14:32.795Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/BlkSword/POC"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:fit2cloud:halo:*:*:*:*:*:*:*:*"
              ],
              "product": "Halo",
              "vendor": "fit2cloud",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.21.10"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "XiaoHei (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T05:41:46.084Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-334494 | fit2cloud Halo cross-site request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.334494"
            },
            {
              "name": "VDB-334494 | CTI Indicators (IOB, IOC)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.334494"
            },
            {
              "name": "Submit #697391 | fit2cloud Halo 2.21.10 Cross-Site Request Forgery",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.697391"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://blksword.flowus.cn/"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/BlkSword/POC"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-05T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-12-05T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-12-12T14:05:58.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "fit2cloud Halo cross-site request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-14117",
        "datePublished": "2025-12-06T05:32:06.404Z",
        "dateReserved": "2025-12-05T15:26:46.924Z",
        "dateUpdated": "2026-02-24T05:41:46.084Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-28074 (GCVE-0-2022-28074)

    Vulnerability from cvelistv5 – Published: 2022-04-22 13:33 – Updated: 2024-08-03 05:41
    VLAI
    Summary
    Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \admin\index.html#/system/tools.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:41:11.184Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/halo-dev/halo/issues/1769"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \\admin\\index.html#/system/tools."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-22T13:33:49.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/halo-dev/halo/issues/1769"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-28074",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \\admin\\index.html#/system/tools."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/halo-dev/halo/issues/1769",
                  "refsource": "MISC",
                  "url": "https://github.com/halo-dev/halo/issues/1769"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-28074",
        "datePublished": "2022-04-22T13:33:49.000Z",
        "dateReserved": "2022-03-28T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:41:11.184Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22124 (GCVE-0-2022-22124)

    Vulnerability from cvelistv5 – Published: 2022-01-13 16:45 – Updated: 2024-09-17 02:42
    VLAI
    Title
    Halo CMS - Stored Cross-Site Scripting (XSS) in Profile Image
    Summary
    In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s browser.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    halo-dev halo Affected: v1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v1.4.17 (custom)
    Unknown: next of v1.4.17 , < unspecified (custom)
    Create a notification for this product.
    Date Public
    2022-01-11 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:07:49.050Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/handler/file/FileHandler.java#L30"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/halo-dev/halo/issues/1575"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22124"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "halo",
              "vendor": "halo-dev",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "v1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v1.4.17",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unknown",
                  "version": "next of v1.4.17",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2022-01-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim\u2019s browser."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-13T16:45:16.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/handler/file/FileHandler.java#L30"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/halo-dev/halo/issues/1575"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22124"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "Halo CMS - Stored Cross-Site Scripting (XSS) in Profile Image",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2022-01-11T23:00:00.000Z",
              "ID": "CVE-2022-22124",
              "STATE": "PUBLIC",
              "TITLE": "Halo CMS - Stored Cross-Site Scripting (XSS) in Profile Image"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "halo",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "v1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v1.4.17"
                              },
                              {
                                "version_affected": "?\u003e",
                                "version_value": "v1.4.17"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "halo-dev"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim\u2019s browser."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/handler/file/FileHandler.java#L30",
                  "refsource": "MISC",
                  "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/handler/file/FileHandler.java#L30"
                },
                {
                  "name": "https://github.com/halo-dev/halo/issues/1575",
                  "refsource": "MISC",
                  "url": "https://github.com/halo-dev/halo/issues/1575"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22124",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22124"
                }
              ]
            },
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2022-22124",
        "datePublished": "2022-01-13T16:45:16.379Z",
        "dateReserved": "2021-12-21T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:42:04.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-22123 (GCVE-0-2022-22123)

    Vulnerability from cvelistv5 – Published: 2022-01-13 16:45 – Updated: 2024-09-17 01:51
    VLAI
    Title
    Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Title
    Summary
    In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim’s server.
    CWE
    • CWE-79 - Cross-site Scripting (XSS)
    Assigner
    Impacted products
    Vendor Product Version
    halo-dev halo Affected: v1.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ v1.4.17 (custom)
    Unknown: next of v1.4.17 , < unspecified (custom)
    Create a notification for this product.
    Date Public
    2022-01-11 00:00
    Credits
    WhiteSource Vulnerability Research Team (WVR)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:07:48.293Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L391"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/halo-dev/halo/issues/1557"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22123"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "halo",
              "vendor": "halo-dev",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "v1.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "v1.4.17",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unknown",
                  "version": "next of v1.4.17",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "WhiteSource Vulnerability Research Team (WVR)"
            }
          ],
          "datePublic": "2022-01-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim\u2019s server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-13T16:45:14.000Z",
            "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
            "shortName": "Mend"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L391"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/halo-dev/halo/issues/1557"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22123"
            }
          ],
          "source": {
            "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
            "discovery": "UNKNOWN"
          },
          "title": "Halo CMS - Stored Cross-Site Scripting (XSS) in Article\u0027s Title",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
              "DATE_PUBLIC": "2022-01-11T23:00:00.000Z",
              "ID": "CVE-2022-22123",
              "STATE": "PUBLIC",
              "TITLE": "Halo CMS - Stored Cross-Site Scripting (XSS) in Article\u0027s Title"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "halo",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "v1.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v1.4.17"
                              },
                              {
                                "version_affected": "?\u003e",
                                "version_value": "v1.4.17"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "halo-dev"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "WhiteSource Vulnerability Research Team (WVR)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim\u2019s server."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L391",
                  "refsource": "MISC",
                  "url": "https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/service/impl/PostServiceImpl.java#L391"
                },
                {
                  "name": "https://github.com/halo-dev/halo/issues/1557",
                  "refsource": "MISC",
                  "url": "https://github.com/halo-dev/halo/issues/1557"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22123",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22123"
                }
              ]
            },
            "source": {
              "advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
        "assignerShortName": "Mend",
        "cveId": "CVE-2022-22123",
        "datePublished": "2022-01-13T16:45:14.866Z",
        "dateReserved": "2021-12-21T00:00:00.000Z",
        "dateUpdated": "2024-09-17T01:51:59.138Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }