CVE-2022-32994 – Halo CMS v1.5.3 contains an arbitrary file uplo... (How to Fix)

Q: What is the severity of CVE-2022-32994?

CVE-2022-32994 has a CVSS score of 9.8 (CRITICAL). Halo CMS v1.5.3 contains an arbitrary file upload vulnerability in the /api/admin/attachments/upload endpoint that allows authenticated attackers to upload malicious files. This affects all Halo CMS v1.5.3 installations with the vulnerable component enabled. Attackers can achieve remote code execution by uploading webshells or other malicious payloads.

📋 TL;DR

Halo CMS v1.5.3 contains an arbitrary file upload vulnerability in the /api/admin/attachments/upload endpoint that allows authenticated attackers to upload malicious files. This affects all Halo CMS v1.5.3 installations with the vulnerable component enabled. Attackers can achieve remote code execution by uploading webshells or other malicious payloads.

💻 Affected Systems

Products:

Halo CMS

Versions: v1.5.3

Operating Systems: All platforms running Halo CMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the admin panel; default installations are vulnerable without additional configuration.

📦 What is this software?

Halo by Halo

View all CVEs affecting Halo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, ransomware deployment, or complete system takeover via remote code execution.

🟠

Likely Case

Webshell upload leading to persistent backdoor access, data exfiltration, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper file type validation, restricted upload directories, and web application firewall rules blocking malicious uploads.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible over the internet, making exposed instances immediate targets for exploitation.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require network access; risk increases if attackers gain internal foothold.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials but is straightforward once authenticated; public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.5.4 or later

Vendor Advisory: https://github.com/halo-dev/halo/releases

Restart Required: Yes

Instructions:

1. Backup your Halo CMS installation and database. 2. Download Halo CMS v1.5.4 or later from the official repository. 3. Replace the existing installation with the updated version. 4. Restart the Halo CMS service. 5. Verify the patch by checking the version and testing the upload functionality.

🔧 Temporary Workarounds

Restrict Upload Endpoint Access

all

Use web server configuration to block or restrict access to /api/admin/attachments/upload endpoint

# For nginx: location ~ ^/api/admin/attachments/upload { deny all; }
# For Apache: <Location "/api/admin/attachments/upload"> Require all denied </Location>

Implement File Upload Validation

all

Add server-side validation to restrict allowed file types and extensions

# Example in application configuration or middleware
# Restrict to specific MIME types and extensions

🧯 If You Can't Patch

Disable the attachments upload functionality entirely if not required
Implement strict network segmentation and firewall rules to limit access to the Halo CMS instance

🔍 How to Verify

Check if Vulnerable:

Check if running Halo CMS v1.5.3 and test if /api/admin/attachments/upload accepts restricted file types without proper validation.

Check Version:

Check Halo CMS admin dashboard or configuration files for version information

Verify Fix Applied:

Verify version is v1.5.4 or later and test that file uploads now properly validate file types and extensions.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /api/admin/attachments/upload
Uploads of executable files (php, jsp, asp, etc.)
Multiple failed upload attempts followed by successful suspicious upload

Network Indicators:

HTTP POST requests to /api/admin/attachments/upload with unusual file extensions
Traffic patterns indicating file upload exploitation

SIEM Query:

source="web_server_logs" AND (uri="/api/admin/attachments/upload" AND (file_extension="php" OR file_extension="jsp" OR file_extension="asp"))

📊 Metadata

CVE ID: CVE-2022-32994

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: June 27, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/zongdeiqianxing/cve-reports/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://github.com/zongdeiqianxing/cve-reports/issues/1 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32994, you might also want to check these: