CVE-2024-32875

2024-04-2321:15:48

CWE-79

CWE-80

[email protected]

web.nvd.nist.gov

hugo

static site

markdown

render hooks

escaping

vulnerability

nvd

patch

templates

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.2 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.

Affected configurations

Vulners

Node

gohugoiohugoRange0.123.0–0.125.3

CNA Affected

[
  {
    "vendor": "gohugoio",
    "product": "hugo",
    "versions": [
      {
        "version": ">= 0.123.0, < 0.125.3",
        "status": "affected"
      }
    ]
  }
]