Halo prior to 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
halo halo |
||
halo halo 1.1.3 |
||
halo halo 1.2.0 |