CVE-2019-19999

Опубликовано: 26 дек. 2019

Источник: nvd

CVSS3: 7.2

CVSS2: 6.5

EPSS Низкий

Описание

Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.

Ссылки

https://github.com/halo-dev/halo/compare/v1.1.3-beta.2...v1.2.0-beta.1
Patch
Third Party Advisory
https://github.com/halo-dev/halo/issues/419
Exploit
Third Party Advisory
https://github.com/halo-dev/halo/issues/440
Exploit
Third Party Advisory
https://github.com/halo-dev/halo/compare/v1.1.3-beta.2...v1.2.0-beta.1
Patch
Third Party Advisory
https://github.com/halo-dev/halo/issues/419
Exploit
Third Party Advisory
https://github.com/halo-dev/halo/issues/440
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:halo:halo:*:*:*:*:*:*:*:*

Версия до 1.1.1 (включая)

cpe:2.3:a:halo:halo:1.1.3:beta1:*:*:*:*:*:*

cpe:2.3:a:halo:halo:1.1.3:beta2:*:*:*:*:*:*

cpe:2.3:a:halo:halo:1.2.0:beta1:*:*:*:*:*:*

EPSS

Процентиль: 63%

0.00438

Низкий

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-918

Связанные уязвимости

GHSA-x8hw-99fp-gmh6