CVE-2019-19999
HIGH WAF: Medium
CVSS 7.2
Published: 2019-12-26
CWE-918
Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| halo | halo | up to 1.1.1 |
| halo | halo | 1.1.3 |
| halo | halo | 1.1.3 |
| halo | halo | 1.2.0 |
References
- github.com (Patch, Third Party Advisory)
- github.com (Exploit, Third Party Advisory)
- github.com (Exploit, Third Party Advisory)