Primary

Context

Halo Open Redirect Vulnerability Allowing Cross-Site Scripting

Vulnerability

Patched

A vulnerability in Halo's Account Security Settings has been identified, specifically in the returnUrl parameter, which lacks proper input validation. This flaw allows attackers to redirect users to malicious websites (open redirect) and inject JavaScript code, potentially leading to cross-site scripting (XSS) attacks. The vulnerability affects Halo versions prior to 2.174.101 and all versions between 2.175.1 and 2.184.21.

Impact

Exploitation of this vulnerability could result in cross-site scripting, allowing for the injection of malicious scripts that could be executed in the context of the user's browser.

Remediation

Users with on-premises Halo instances should apply the latest stable or beta patch. Instructions for updating can be found in the Halo Knowledge Base.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

1.7

exploitability

3.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

1.7

exploitability

3.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Halo Open Redirect Vulnerability Allowing Cross-Site Scripting

Vulnerability

Impact

Remediation

Affected Products

Halo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating