PT-2024-36563 · Hugo+1 · Hugo+1
Jmooring
·
Published
2024-12-09
·
Updated
2024-12-18
·
CVE-2024-55601
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Hugo versions 0.123.0 through 0.139.4
Description
The issue concerns unescaped HTML attributes in Markdown within internal templates. This affects Hugo users who do not trust their Markdown content files and are using one or more of the following templates:
default/ markup/render-link.html, default/ markup/render-image.html, default/ markup/render-table.html, and/or shortcodes/youtube.html. The issue is patched in version 0.139.4.Recommendations
For Hugo versions 0.123.0 through 0.139.4, replace the affected internal templates with user-defined templates or disable the internal templates to mitigate the risk. Specifically, consider replacing or disabling the following templates:
default/ markup/render-link.html, default/ markup/render-image.html, default/ markup/render-table.html, and shortcodes/youtube.html. Update to version 0.139.4 or later to fully resolve the issue.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Hugo