CVE-2021-25987
MEDIUM4.6EPSS 0.09%Hexo Vulnerable to XSS
發布日:2021/12/1修改日:2023/11/8
描述
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
受影響套件(1)
- npm/hexo>= 0.0.1, < 6.0.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-25987
- PATCHhttps://github.com/hexojs/hexo
- WEBhttps://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200
- WEBhttps://github.com/hexojs/hexo/issues/4838
- WEBhttps://github.com/hexojs/hexo/pull/4750
- WEBhttps://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987