PT-2024-24931 · Hugo · Hugo

Ejona86

Published

2024-04-23

Updated

2024-06-04

CVE-2024-32875

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Hugo versions 0.123.0 through 0.125.3

Description Hugo is a static site generator where title arguments in Markdown for links and images are not escaped in internal render hooks. This issue impacts Hugo users who have these hooks enabled and do not trust their Markdown content files. The problem is resolved in version 0.125.3.

Recommendations For Hugo versions 0.123.0 through 0.125.3, replace the templates with user-defined templates or disable the internal templates as a workaround until the issue is resolved by updating to version 0.125.3 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-80CWE-79

Related Identifiers

CVE-2024-32875

GHSA-PPF8-HHPP-F5HJ

GO-2024-2747

Affected Products

Hugo

PT-2024-24931 · Hugo · Hugo

CVE-2024-32875

Weakness Enumeration

Related Identifiers

Affected Products

References · 19