Hugo does not escape some attributes in internal templates

Impact Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates. default/markup/render-link.html from v0.123.0 default/markup/render-image.html from...

Hugo 跨站脚本漏洞

Hugo is a Go-based framework for rapid static site generation from the Gohugoio community. A cross-site scripting vulnerability exists in Hugo versions prior to 0.123.0 through 0.139.4, which stems from improperly escaping HTML attributes in certain Markdown in internal rendering hooks...

CVE-2024-34155 vulnerabilities

Vulnerabilities for packages: trivy, datadog-agent, restic-fips, caddy, crossplane-provider-azure-managedidentity, fulcio, http-echo, kube-bench, opa, ingress-nginx-controller, postgres-operator-fips, rabbitmq-messaging-topology-operator, kube-state-metrics, git-lfs, fq,...

CVE-2024-24791 vulnerabilities

Vulnerabilities for packages: datadog-agent, restic-fips, caddy, fulcio, http-echo, kube-bench, opa, rabbitmq-messaging-topology-operator, kube-state-metrics, git-lfs, prometheus-beat-exporter-fips, snyk-cli, metacontroller, velero-plugin-for-aws-fips, gatekeeper-fips, ko-fips, newrelic-nri-stats...

CVE-2024-24792 vulnerabilities

Vulnerabilities for packages: hugo, hugo-extended, gotenberg, chainctl, ollama...

CVE-2024-24792 vulnerabilities

Vulnerabilities for packages: hugo, ollama, hugo-extended...

GHSA-9PHM-FM57-RHG8 vulnerabilities

Vulnerabilities for packages: hugo, hugo-extended, gotenberg, chainctl, ollama...

Malicious code in hugo-cloudflare-docs (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2024-2492 Malicious code in hugo-cloudflare-docs (npm)

--- -= Per source details. Do not edit below this line.=-...

CVE-2024-35255 vulnerabilities

Vulnerabilities for packages: flux-source-controller, hugo-extended, tempo, fluent-bit-plugin-loki, buildkitd, druid, guac, flyte, py3-cassandra-medusa, sigstore-scaffolding, k8sgpt, argo-workflows, py3-azure-identity, thanos, step, rclone, ksops, rekor, sqlpad, datadog-agent, wal-g,...

GO-2024-2747 Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo

Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo...

CVE-2024-33686

Missing Authorization vulnerability in Extend Themes Pathway, Extend Themes Hugo WP, Extend Themes Althea WP, Extend Themes Elevate WP, Extend Themes Brite, Extend Themes Colibri WP, Extend Themes Vertice.This issue affects Pathway: from n/a through 1.0.15; Hugo WP: from n/a through 1.0.8; Althea...

CVE-2024-33686

CVE-2024-33686 is a Missing Authorization vulnerability affecting multiple Extend Themes products (Pathway until 1.0.15; Hugo WP until 1.0.8; Althea WP until 1.0.13; Elevate WP until 1.0.15; Brite until 1.0.11; Colibri WP until 1.0.94; Vertice until 1.0.7). The CVE has a CVSSv3.1 base score of 4....

PT-2024-25441 · Extend Themes · Extend Themes Colibri Wp +6

Name of the Vulnerable Software and Affected Versions: Extend Themes Pathway versions 1.0.15 and earlier Extend Themes Hugo WP versions 1.0.8 and earlier Extend Themes Althea WP versions 1.0.13 and earlier Extend Themes Elevate WP versions 1.0.15 and earlier Extend Themes Brite versions 1.0.11 an...

WordPress Hugo WP theme <= 1.0.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Dhabaleshwar Das Patchstack Alliance in WordPress Theme Hugo WP versions = 1.0.8...

WordPress Hugo WP Theme <= 1.0.8 is vulnerable to Broken Access Control

Software Hugo WP Type Theme Vulnerable versions = 1.0.8 Fixed in 1.0.10 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-33686 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID b2b5b58a00f1 Credits Dhabaleshwar Das Required privilege...

SUSE CVE-2024-32875

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The...

Cross Site Scripting

github.com/gohugoio/hugo/ is vulnerable to Cross Site Scripting. This vulnerability arises due to insufficient escaping of title arguments in Markdown, impacting users who utilize these hooks without full trust in their Markdown content files...

GHSA-PPF8-HHPP-F5HJ Hugo Markdown titles do not escaped in internal render hooks

Impact Title argument in Markdown for links and images not escaped in internal render hooks. Impacted are Hugo users who have these hooks enabled and do not trust their Markdown content files. Patches Patched in v0.125.3. Workarounds Replace with user defined templates or disable the internal...

GHSA-PPF8-HHPP-F5HJ vulnerabilities

Vulnerabilities for packages: hugo-extended...