CVE-2024-32875

Hugo doesn't escape markdown title in internal render hooks

CVSS 6.1 MEDIUMEPSS 0.5%CWE-79 CWE-80

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.1EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

23 abr 2024Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Productos afectados

gohugoio · hugo

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/gohugoio/hugo/releases/tag/v0.125.3 https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault