Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.
CPE | Name | Operator | Version |
---|---|---|---|
halo | eq | 1.2.0 beta1 | |
halo | eq | 1.1.3 beta1 | |
halo | eq | 1.1.3 beta2 | |
halo | le | 1.1.1 |