6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.2 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.5%
Hugo is a static site generator. Starting in version 0.123.0 and prior to
version 0.125.3, title arguments in Markdown for links and images not
escaped in internal render hooks. Hugo users who are impacted are those who
have these hooks enabled and do not trust their Markdown content files. The
issue is patched in v0.125.3. As a workaround, replace the templates with
user defined templates or disable the internal templates.
github.com/gohugoio/hugo/releases/tag/v0.125.3
github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj
gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
launchpad.net/bugs/cve/CVE-2024-32875
nvd.nist.gov/vuln/detail/CVE-2024-32875
security-tracker.debian.org/tracker/CVE-2024-32875
www.cve.org/CVERecord?id=CVE-2024-32875
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.2 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.5%