CVE-2023-27164 : An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to

An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file.

Published 2023-03-10 16:15:11

Updated 2023-03-31 20:15:08

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2023-27164

Halo » Halo
Versions up to, including, (<=) 1.6.1
cpe:2.3:a:halo:halo:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.21%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 44 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	1.7	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Assigned by: nvd@nist.gov (Primary)

https://gist.github.com/b33t1e/a1a0d81b1173d0d00de8f4e7958dd867

CVE-2023-27164 · GitHub
http://halo.com

HALO Branded Solutions | A Promotional & Recognition Company
Product
https://notes.sjtu.edu.cn/s/s5oEvs-p5

halo <= 1.6.1 file upload details - CodiMD
Exploit;Third Party Advisory
https://github.com/halo-dev/halo

GitHub - halo-dev/halo: 强大易用的开源建站工具。
Product

Jump to