Lucene search

GoogleOSV:GHSA-PPF8-HHPP-F5HJ

HistoryApr 23, 2024 - 9:16 p.m.

Hugo Markdown titles do not escaped in internal render hooks

2024-04-2321:16:15

Google

osv.dev

hugo

markdown

titles

escaped

internal render

hooks

users

enabled

untrusted

content

patches

v0.125.3

workarounds

templates

disable

references

software

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

7.2

Confidence

Low

EPSS

Percentile

15.5%

JSON

Impact

Title argument in Markdown for links and images not escaped in internal render hooks. Impacted are Hugo users who have these hooks enabled and do not trust their Markdown content files.

Patches

Patched in v0.125.3.

Workarounds

Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault

References

https://github.com/gohugoio/hugo/releases/tag/v0.125.3

References

github.com/gohugoio/hugo

github.com/gohugoio/hugo/commit/15a4b9b33715887001f6eff30721d41c0d4cfdd1

github.com/gohugoio/hugo/releases/tag/v0.125.3

github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj

gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault

nvd.nist.gov/vuln/detail/CVE-2024-32875

pkg.go.dev/vuln/GO-2024-2747

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

7.2

Confidence

Low

EPSS

Percentile

15.5%

JSON

Related for OSV:GHSA-PPF8-HHPP-F5HJ