First published: Thu Jan 13 2022(Updated: )
In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s browser.
Credit: vulnerabilitylab@mend.io
Affected Software | Affected Version | How to fix |
---|---|---|
Fit2cloud Halo | >=1.0.0<=1.4.17 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-22124 is a vulnerability in Fit2cloud Halo versions v1.0.0 to v1.4.17 that allows an authenticated attacker to upload a malicious SVG file and trigger arbitrary JavaScript execution on a victim's browser.
CVE-2022-22124 has a severity score of 5.4, which is considered medium.
Fit2cloud Halo versions v1.0.0 to v1.4.17 are affected by CVE-2022-22124.
An authenticated attacker can exploit CVE-2022-22124 by uploading a carefully crafted SVG file as a profile image, which will trigger the execution of arbitrary JavaScript on a victim's browser.
Yes, you can find more information about CVE-2022-22124 at the following references: [GitHub](https://github.com/halo-dev/halo/blob/v1.4.17/src/main/java/run/halo/app/handler/file/FileHandler.java#L30), [GitHub Issues](https://github.com/halo-dev/halo/issues/1575), [WhiteSource Software](https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22124).