# halo <= 1.6.1 file upload details
## Acknowledgment
**Credit to [@beet1e](https://github.com/b33t1e) from Shanghai Jiao Tong University and [@chenlibo147](chenlibo147@mail.sdu.edu.cn) , [@houqinsheng](houqinsheng@mail.sdu.edu.cn), 202037049@mail.sdu.edu.cn from Shandong University.**
## Vulnerability description
Follow the official documentation to start forem with docker installation.

Then, we log into the administrator background:

Here we can use the import function to import articles in md format.
This function corresponds to the API - /api/admin/backups/markdown/import, this API is capable of uploading malicious files.
We use following file to upload:
```
<script>alert("XSS")</script>
```

The file will be uploaded successfully:

When someone read this article, the JavaScript code will be executed.


So, the API - /api/admin/backups/markdown/import has a malicious file upload vulnerability.