GoogleOSV:GHSA-PPF8-HHPP-F5HJHugo Markdown titles do not escaped in internal render hooks
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.2 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.5%
Impact
Title argument in Markdown for links and images not escaped in internal render hooks. Impacted are Hugo users who have these hooks enabled and do not trust their Markdown content files.
Patches
Patched in v0.125.3.
Workarounds
Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
References
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/gohugoio/hugo | lt | 0.125.3 | |
| github.com/gohugoio/hugo | ge | 0.123.0 |
References
github.com/gohugoio/hugo
github.com/gohugoio/hugo/commit/15a4b9b33715887001f6eff30721d41c0d4cfdd1
github.com/gohugoio/hugo/releases/tag/v0.125.3
github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj
gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
nvd.nist.gov/vuln/detail/CVE-2024-32875
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.2 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.5%