CVE-2021-25987 – hexo

Package

Manager: npm
Name: hexo
Vulnerable Version: >=0.0.1 <6.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00098 pctl0.27926

Details

Hexo Vulnerable to XSS Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

Metadata

Created: 2021-12-01T18:27:44Z
Modified: 2023-09-13T19:55:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-q54r-r9pr-w7qv/GHSA-q54r-r9pr-w7qv.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-q54r-r9pr-w7qv
Finding: F425
Auto approve: 1