GHSA-ppf8-hhpp-f5hj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ppf8-hhpp-f5hj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-ppf8-hhpp-f5hj/GHSA-ppf8-hhpp-f5hj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-ppf8-hhpp-f5hj
- Aliases
- Related
- Published
- 2024-04-23T21:16:15Z
- Modified
- 2024-07-19T15:24:58Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Hugo Markdown titles do not escaped in internal render hooks
- Details
-
Impact
Title argument in Markdown for links and images not escaped in internal render hooks. Impacted are Hugo users who have these hooks enabled and do not trust their Markdown content files.
Patches
Patched in v0.125.3.
Workarounds
Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
References
https://github.com/gohugoio/hugo/releases/tag/v0.125.3
- Database specific
{ "nvd_published_at": "2024-04-23T21:15:48Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-04-23T21:16:15Z" }- References
-
- https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj
- https://nvd.nist.gov/vuln/detail/CVE-2024-32875
- https://github.com/gohugoio/hugo/commit/15a4b9b33715887001f6eff30721d41c0d4cfdd1
- https://github.com/gohugoio/hugo
- https://github.com/gohugoio/hugo/releases/tag/v0.125.3
- https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
- https://pkg.go.dev/vuln/GO-2024-2747
Affected packages
Go / github.com/gohugoio/hugo
Package
- Name
- github.com/gohugoio/hugo
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gohugoio/hugo