Integrations
Start a Trial
Book Demo
Book Demo
Start Trial

FAQ List: Security

CVE-2024-6200 – Stored Cross-Site Scripting in Tickets

General Information This article contains frequently asked questions relating to the store cross-site scripting vulnerability affecting Halo versions up to 2.143.6. Users with the permission to open tickets may embed malicious JavaScript code into them, that, when accessed by another user, executes within the context of that user. Are hosted Halo instances affected? Hosted customers […]

Read-only connection for reports

Prevent abuse of the report builder by ensuring a database connection with read-only privileges is used for SQL reports. Create a SQL user with read-only access to the Halo database Create a new SQL user account in SQL Server Management Studio by going to Security > Logins, right-click on Logins and select New Login. Use […]

Enabling Secure Cookies in the Web Application

Enable secure cookies to stop cookies from being sent over HTTP. This is not enabled by default as it makes the application unusable over HTTP. Before enabling ensure an upgrade from HTTP to HTTPS is enabled as the app will no longer function over HTTP. Add the following property into the 3 appsettings.json files at […]

CVE-2024-6203 – Password Reset Poisoning

General Information This article contains frequently asked questions relating to the store cross-site scripting vulnerability affecting Halo versions up to 2.143.61 and all 2.144 and 2.145 versions. Users with access to the password forgotten functionality can issue a password reset request, to the victims email address, and by manipulating the request in a specific way […]

CVE-2024-6202 – SAML XML Signature Wrapping (XSW)

General Information This article contains frequently asked questions relating to the XML signature wrapping vulnerability affecting Halo versions up to 2.143.8. SAML XML signature wrapping is an attack method where an attacker modifies the signed SAML message without invalidating the signature. This can lead to the attacker impersonating another user. Are hosted Halo instances affected? […]

CORS Policy on Halo API

By default, the CORS policy on all Halo web apps is a wildcard that allows all. To enable a stricter CORS policy to block requests from other origins, follow the below. In appsettings.json in the API and Auth Server add "UseCorsPolicy": true. Also, add "CorsWhiteList" as an array of strings. Enter the hostname of each […]

CVE-2023-4863

The issue is resolved as of version 2.170.1 see Update 31/10/2024 for more information General Information This article contains frequently asked questions relating to the heap buffer overflow vulnerability affecting libwebp. On September 11, 2023, Google published a stable channel update to address the vulnerability with weblibp and assigned CVE-2023-4863 to track this vulnerability. libwebp […]

How are user passwords stored?

This article discusses the method used when users are stored in Halo. When users are stored in the Halo database their passwords are stored hashed. Halo uses the Pbkdf2 key derivation function with a suitably high iteration count, to hash the password for storage in the database. Each password has its own salt applied prior […]

Enable HTTP strict transport security (HSTS)

This ensures all traffic to the Halo site can only use a secure HTTPS connection. HTTPS must already be configured for the web application. Currently, these steps are required after any upgrade. If HTTPS/SSL is not configured, and HSTS is enabled, the application will not work. Open web.config in the root of your Halo web […]

Http to Https redirect in web app

How to get http to redirect to https in the web app. Open appsettings.json in the root folder (not api or auth). Add "httpsonly":true like in the below; Restart the site. Now when browsing to the http version it will be replaced with the https version.