CVE-2021-25987
MEDIUM4.6EPSS 0.09%Hexo Vulnerable to XSS
Published: 12/1/2021Modified: 11/8/2023
Also known as:GHSA-q54r-r9pr-w7qv
Description
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
Affected packages (1)
- npm/hexo>= 0.0.1, < 6.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-25987
- PATCHhttps://github.com/hexojs/hexo
- WEBhttps://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200
- WEBhttps://github.com/hexojs/hexo/issues/4838
- WEBhttps://github.com/hexojs/hexo/pull/4750
- WEBhttps://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987