Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.
Threat-Mapped Scoring
Score: 0.0
Priority: Unclassified
EPSS
Score: 0.00438Percentile:
0.62164
CVSS Scoring
CVSS v3.1 Score: 7.2
Severity: HIGH
Mapped CWE(s)
CWE-918
: Server-Side Request Forgery (SSRF)
All CAPEC(s)
CAPEC-664 : Server Side Request Forgery
CAPEC(s) with Mapped TTPs
Mapped ATT&CK TTPs
Affected Products
cpe:2.3:a:halo:halo:*:*:*:*:*:*:*:*
cpe:2.3:a:halo:halo:1.1.3:beta1:*:*:*:*:*:*
cpe:2.3:a:halo:halo:1.1.3:beta2:*:*:*:*:*:*
cpe:2.3:a:halo:halo:1.2.0:beta1:*:*:*:*:*:*
← Back to Home
BrownCoat Threat Intelligence Platform | 2025 Steve Gray — You Can’t Take the Sky from Me