Open Redirect

General Information This article contains frequently asked questions relating to the open redirect vulnerability affecting Halo versions up to 2.174.101 and all versions between 2.175.1 and 2.184.21. A malformed link could allow the incorrect parsing of the returnurl parameter. If the user were to access this link, login to their account and then click on […]

SQL Injection Security Vulnerability

This article contains details relating to the SQL Injection vulnerability affecting various versions of Halo. This security update addresses an issue that could allow malicious actors to execute unauthorised database queries by supplying a carefully constructed payload.   The vulnerability was found and reported by a 3rd party Security Research team, and there is no […]

SQL Injection Vulnerability Patched

General Information This article contains frequently asked questions relating to the SQL injection vulnerability affecting various Halo versions. This security update addresses an issue that could allow malicious actors to execute unauthorised database queries by supplying a carefully constructed payload. Are hosted Halo instances affected? Hosted customers have been automatically updated to a patch to […]

X.509 for encryption

Passwords and secrets are encrypted with an X.509 certificate built into the app by default. It is reccomended to use your own self-signed X.509 certificate for encryption. Generate a self-signed certificate First, you need to generate a self-signed certificate to use for encryption. If you have not done this before, you can download a free […]

Enabling Reference Tokens

Enabling reference tokens in the Halo API allows sessions and tokens to be stored in the database. Each API call will check the token is still valid in the database. Enable Reference Tokens in the Halo API and Auth server by setting  "UseReferenceTokens": true Inside both the API and Auth appsettings.json. Activating this will invalidate […]

CVE-2023-44487 – HTTP/2 Rapid Reset Attack and the Halo Hosted Platform

The Vulnerability The official statement from NIST is available HERE The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. How this affects Halo This vulnerability exists in the HTTP/2 protocol and is not specific to […]

Protect token signing keys with a certificate

When authenticating in Halo, access tokens are signed with a key. We recommend encrypting this key with an X.509 certificate. Generate a self-signed certificate First, you need to generate a self-signed certificate to use for encryption. If you have not done this before, you can download a free tool to do this for you here; […]

Data Storage And Security

Information on data storage and security within Halo. Where is my data stored? The application and database are hosted on AWS servers. This allows them to be highly available and reliable as well as providing strong data security. You can read more about AWS data centre controls here. Data backups Databases are synced over multiple […]

CVE-2024-6201 – Emailing Template Injection

General Information This article contains frequently asked questions relating to the emailing template injection vulnerability affecting Halo versions up to 2.143.21. Users with the permission to open tickets may embed variables that may subsequently be resolved by the emailing template engine. This might lead to the leakage of variables and custom field values via emails. […]

CVE-2024-6200 – Stored Cross-Site Scripting in Tickets

General Information This article contains frequently asked questions relating to the store cross-site scripting vulnerability affecting Halo versions up to 2.143.6. Users with the permission to open tickets may embed malicious JavaScript code into them, that, when accessed by another user, executes within the context of that user. Are hosted Halo instances affected? Hosted customers […]