Vulnerability Description
Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious files including executables and HTML files, which can lead to stored cross-site scripting attacks and potential remote code execution under certain circumstances. This issue has been patched in version 2.20.13.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Halo | Halo | < 2.20.13 |
Related Weaknesses (CWE)
References
- https://github.com/halo-dev/halo/commit/24f8d7b57127e2607ec05adb7c912b3decddeb99
- https://github.com/halo-dev/halo/pull/7149Issue Tracking
- https://github.com/halo-dev/halo/security/advisories/GHSA-99mc-ch53-pqh9ExploitMitigationVendor Advisory
FAQ
What is CVE-2024-56156?
CVE-2024-56156 is a vulnerability with a CVSS score of 9.0 (CRITICAL). Halo is an open source website building tool. Prior to version 2.20.13, a vulnerability in Halo allows attackers to bypass file type validation controls. This bypass enables the upload of malicious fi...
How severe is CVE-2024-56156?
CVE-2024-56156 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-56156?
Check the references section above for vendor advisories and patch information. Affected products include: Halo Halo.