How are user passwords stored?
This article discusses the method used when users are stored in Halo. When users are stored in the Halo database their passwords are stored hashed. Halo uses the Pbkdf2 key derivation function with a suitably high iteration count, to hash the password for storage in the database. Each password has its own salt applied prior […]
Security Management and Architecture
In this guide we will cover: – FAQs around Security Management and Architecture How is customer backup data retained with Halo? Transactional backups are taken hourly, retained for 3 days. Daily full backups are retained for 2 weeks. Monthly full backups are retained for 90 days. UAT environments only have the daily backups taken, also retained […]
Http to Https redirect in web app
How to get http to redirect to https in the web app. Open appsettings.json in the root folder (not api or auth). Add "httpsonly":true like in the below; Restart the site. Now when browsing to the http version it will be replaced with the https version.
CVE-2025-40846 – Open Redirect
General Information This article contains frequently asked questions relating to the open redirect vulnerability affecting Halo versions up to 2.174.101 and all versions between 2.175.1 and 2.184.21. A malformed link could allow the incorrect parsing of the returnurl parameter. If the user were to access this link, login to their account and then click on […]
CVE-2023-44487 – HTTP/2 Rapid Reset Attack and the Halo Hosted Platform
The Vulnerability The official statement from NIST is available HERE The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. How this affects Halo This vulnerability exists in the HTTP/2 protocol and is not specific to […]
CVE-2024-6200 – Stored Cross-Site Scripting in Tickets
General Information This article contains frequently asked questions relating to the store cross-site scripting vulnerability affecting Halo versions up to 2.143.6. Users with the permission to open tickets may embed malicious JavaScript code into them, that, when accessed by another user, executes within the context of that user. Are hosted Halo instances affected? Hosted customers […]
CVE-2024-6201 – Emailing Template Injection
General Information This article contains frequently asked questions relating to the emailing template injection vulnerability affecting Halo versions up to 2.143.21. Users with the permission to open tickets may embed variables that may subsequently be resolved by the emailing template engine. This might lead to the leakage of variables and custom field values via emails. […]
CVE-2024-6203 – Password Reset Poisoning
General Information This article contains frequently asked questions relating to the store cross-site scripting vulnerability affecting Halo versions up to 2.143.61 and all 2.144 and 2.145 versions. Users with access to the password forgotten functionality can issue a password reset request, to the victims email address, and by manipulating the request in a specific way […]
CVE-2024-6202 – SAML XML Signature Wrapping (XSW)
General Information This article contains frequently asked questions relating to the XML signature wrapping vulnerability affecting Halo versions up to 2.143.8. SAML XML signature wrapping is an attack method where an attacker modifies the signed SAML message without invalidating the signature. This can lead to the attacker impersonating another user. Are hosted Halo instances affected? […]
CVE-2023-4863
The issue is resolved as of version 2.170.1 see Update 31/10/2024 for more information General Information This article contains frequently asked questions relating to the heap buffer overflow vulnerability affecting libwebp. On September 11, 2023, Google published a stable channel update to address the vulnerability with weblibp and assigned CVE-2023-4863 to track this vulnerability. libwebp […]