CVE-2024-55601
EPSS 0.38%Hugo does not escape some attributes in internal templates
描述
## Impact Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates. * `_default/_markup/render-link.html` from `v0.123.0` * `_default/_markup/render-image.html` from `v0.123.0` * `_default/_markup/render-table.html` from `v0.134.0` * `shortcodes/youtube.html` from `v0.125.0` ## Patches Patched in v0.139.4. ## Workarounds Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault ## References * https://github.com/gohugoio/hugo/releases/tag/v0.139.4 * https://gohugo.io/about/security/
受影響套件(3)
- Debian/hugofrom 0
- Go/github.com/gohugoio/hugo>= 0.123.0, < 0.139.4
- Go/github.com/gohugoio/hugo>= 0.123.0, < 0.139.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-55601
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-55601
- PATCHhttps://github.com/gohugoio/hugo
- WEBhttps://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0
- WEBhttps://github.com/gohugoio/hugo/releases/tag/v0.139.4
- WEBhttps://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx
- WEBhttps://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault