CVE-2024-43792 - OpenCVE

Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. Users are advised to upgrade to version 2.17.0+. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Halo	Halo

Configuration 1 [-]

cpe:2.3:a:halo:halo:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/halo-dev/halo/security/advisories/GHSA-x3rj-3x75-vw4g

History

Tue, 03 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Halo Halo halo
CPEs		cpe:2.3:a:halo:halo::::::::
Vendors & Products		Halo Halo halo
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Sep 2024 16:30:00 +0000

Type	Values Removed	Values Added
Description		Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. Users are advised to upgrade to version 2.17.0+. There are no known workarounds for this vulnerability.
Title		Halo's editor has a stored Cross-Site Scripting vulnerability
Weaknesses		CWE-79
References		https://github.com/halo-dev/halo/security/advisories/GHSA-x3rj-3x75-vw4g
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-02T16:15:40.485Z

Updated: 2024-09-03T14:20:31.645Z

Reserved: 2024-08-16T14:20:37.324Z

Link: CVE-2024-43792

Vulnrichment

Updated: 2024-09-03T14:20:24.903Z

NVD

Status : Analyzed

Published: 2024-09-02T18:15:35.807

Modified: 2024-09-16T16:26:18.063

Link: CVE-2024-43792

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43792", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-08-16T14:20:37.324Z", "datePublished": "2024-09-02T16:15:40.485Z", "dateUpdated": "2024-09-03T14:20:31.645Z"}, "containers": {"cna": {"title": "Halo's editor has a stored Cross-Site Scripting vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/halo-dev/halo/security/advisories/GHSA-x3rj-3x75-vw4g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/halo-dev/halo/security/advisories/GHSA-x3rj-3x75-vw4g"}], "affected": [{"vendor": "halo-dev", "product": "halo", "versions": [{"version": "< 2.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-02T16:15:40.485Z"}, "descriptions": [{"lang": "en", "value": "Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. Users are advised to upgrade to version 2.17.0+. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-x3rj-3x75-vw4g", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "halo", "product": "halo", "cpes": ["cpe:2.3:a:halo:halo:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.17.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-03T13:52:05.256741Z", "id": "CVE-2024-43792", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T14:20:31.645Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43792", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-03T13:52:05.256741Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:halo:halo:*:*:*:*:*:*:*:*"], "vendor": "halo", "product": "halo", "versions": [{"status": "affected", "version": "0", "lessThan": "2.17.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T14:20:24.903Z"}}], "cna": {"title": "Halo's editor has a stored Cross-Site Scripting vulnerability", "source": {"advisory": "GHSA-x3rj-3x75-vw4g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "halo-dev", "product": "halo", "versions": [{"status": "affected", "version": "< 2.17.0"}]}], "references": [{"url": "https://github.com/halo-dev/halo/security/advisories/GHSA-x3rj-3x75-vw4g", "name": "https://github.com/halo-dev/halo/security/advisories/GHSA-x3rj-3x75-vw4g", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. Users are advised to upgrade to version 2.17.0+. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-02T16:15:40.485Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43792", "state": "PUBLISHED", "dateUpdated": "2024-09-03T14:20:31.645Z", "dateReserved": "2024-08-16T14:20:37.324Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-02T16:15:40.485Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:halo:halo:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F0A843B-5A28-4D3B-BBCD-CA5BE1EAD754", "versionEndExcluding": "2.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.17.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user's browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. Users are advised to upgrade to version 2.17.0+. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Halo es una herramienta de c\u00f3digo abierto para crear sitios web. Se ha identificado una vulnerabilidad de seguridad en versiones anteriores a la 2.17.0 del proyecto Halo. Esta vulnerabilidad permite a un atacante ejecutar secuencias de comandos maliciosas en el navegador del usuario a trav\u00e9s de c\u00f3digo HTML y JavaScript espec\u00edfico, lo que puede provocar un ataque de Cross-site Scripting (XSS). Se recomienda a los usuarios que actualicen a la versi\u00f3n 2.17.0+. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-43792", "lastModified": "2024-09-16T16:26:18.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-02T18:15:35.807", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/halo-dev/halo/security/advisories/GHSA-x3rj-3x75-vw4g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}