CVE-2024-32875 – github.com/gohugoio/hugo

Package

Manager: go
Name: github.com/gohugoio/hugo
Vulnerable Version: >=0.123.0 <0.125.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00118 pctl0.31411

Details

Hugo Markdown titles do not escaped in internal render hooks ### Impact Title argument in Markdown for links and images not escaped in internal render hooks. Impacted are Hugo users who have these hooks enabled and do not trust their Markdown content files. ### Patches Patched in v0.125.3. ### Workarounds Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault ### References https://github.com/gohugoio/hugo/releases/tag/v0.125.3

Metadata

Created: 2024-04-23T21:16:15Z
Modified: 2024-07-19T15:24:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-ppf8-hhpp-f5hj/GHSA-ppf8-hhpp-f5hj.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-ppf8-hhpp-f5hj
Finding: F008
Auto approve: 1