CVE-2024-55601 – github.com/gohugoio/hugo

Package

Manager: go
Name: github.com/gohugoio/hugo
Vulnerable Version: >=0.123.0 <0.139.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00149 pctl0.36031

Details

Hugo does not escape some attributes in internal templates ## Impact Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates. * `_default/_markup/render-link.html` from `v0.123.0` * `_default/_markup/render-image.html` from `v0.123.0` * `_default/_markup/render-table.html` from `v0.134.0` * `shortcodes/youtube.html` from `v0.125.0` ## Patches Patched in v0.139.4. ## Workarounds Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault ## References * https://github.com/gohugoio/hugo/releases/tag/v0.139.4 * https://gohugo.io/about/security/

Metadata

Created: 2024-12-09T20:44:50Z
Modified: 2024-12-10T15:33:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-c2xf-9v2r-r2rx/GHSA-c2xf-9v2r-r2rx.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-c2xf-9v2r-r2rx
Finding: F008
Auto approve: 1