<style>p { margin: 0 0 10px; }h1, h2, h3 { margin: 20px 0 10px; }h4, h5, h6 { margin: 10px 0 10px; }</style><h3 id="general-information">General Information</h3> <p>This article contains frequently asked questions relating to the store cross-site scripting vulnerability affecting Halo versions up to 2.143.61 and all 2.144 and 2.145 versions. Users with access to the password forgotten functionality can issue a password reset request, to the victims email address, and by manipulating the request in a specific way can force the email to contain the poisoned link. If the user were to access this link the password reset token can be leaked.</p> <h3 id="are-hosted-halo-instances-affected">Are hosted Halo instances affected?</h3> <p>Hosted customers have been automatically updated to a patch to resolve this issue, and therefore no action is required by hosted customers. The patch was released on 2024-04-19 and hosted customers would have been upgraded shortly afterwards.</p> <h3 id="are-on-prem-halo-instances-affected">Are On-Prem Halo instances affected?</h3> <p>Halo On-Prem installations should apply the latest stable or beta patch to their Halo instance to resolve this issue.</p> <ul> <li>Any patch &gt;= 2.143.61.</li> <li>Any version &gt;= 2.146.1.</li> </ul> <h3 id="next-steps">Next Steps</h3> <p>No action is required on the part of our customers.</p> <p>We will continue to monitor our business infrastructure to ensure the same level of service and security that you expect.</p> <h3 id="links">Links</h3>