CVE-2023-39584
HIGH7.5EPSS 4.7%Hexo `include_code` has a path traversal
發布日:2023/9/8修改日:2025/9/5
描述
Hexo up to v7.1.1 was discovered to contain an arbitrary file read vulnerability.
受影響套件(1)
- npm/hexofrom 0, < 7.2.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-39584
- PATCHhttps://github.com/hexojs/hexo
- WEBhttps://github.com/hexojs/hexo/blob/a3e68e7576d279db22bd7481914286104e867834/lib/plugins/tag/include_code.js#L49
- WEBhttps://github.com/hexojs/hexo/blob/cefee921153ba597316457f4fedf7b87b6516917/lib/plugins/tag/include_code.ts#L50
- WEBhttps://github.com/hexojs/hexo/commit/b5b63caee27256d71a0cee8954c22375ec885d07
- WEBhttps://github.com/hexojs/hexo/issues/5250
- WEBhttps://github.com/hexojs/hexo/pull/5251