GHSA-q54r-r9pr-w7qv

Suggest an improvement
Source
https://github.com/advisories/GHSA-q54r-r9pr-w7qv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-q54r-r9pr-w7qv/GHSA-q54r-r9pr-w7qv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q54r-r9pr-w7qv
Aliases
Published
2021-12-01T18:27:44Z
Modified
2023-11-08T04:05:19.860339Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Hexo Vulnerable to XSS
Details

Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

Database specific
{
    "github_reviewed_at": "2021-12-01T16:15:32Z",
    "nvd_published_at": "2021-11-30T14:15:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE"
}
References

Affected packages

npm / hexo

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.0.1
Fixed
6.0.0

Database specific

{
    "last_known_affected_version_range": "<= 5.4.0"
}