CVE-2021-25987

Name of the Vulnerable Software and Affected Versions Hexo versions 0.0.1 through 5.4.0

Description The issue concerns stored XSS, where the post body and tags do not properly sanitize malicious JavaScript during web page generation. This allows a local unprivileged attacker to inject arbitrary code.

Recommendations For Hexo versions 0.0.1 through 5.4.0, as a temporary workaround, consider disabling the generation of web pages that include user-provided content in the body and tags until a patch is available. Restrict access to the web page generation functionality to minimize the risk of exploitation. Avoid using the body and tags parameters in the affected web page generation process until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.