Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jMnhmLTl2MnItcjJyeM4ABCNH

Hugo does not escape some attributes in internal templates

Impact

Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates.

_default/_markup/render-link.html from v0.123.0
_default/_markup/render-image.html from v0.123.0
_default/_markup/render-table.html from v0.134.0
shortcodes/youtube.html from v0.125.0

Patches

Patched in v0.139.4.

Workarounds

Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault

References

Permalink: https://github.com/advisories/GHSA-c2xf-9v2r-r2rx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jMnhmLTl2MnItcjJyeM4ABCNH
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 2 months ago

EPSS Percentage: 0.00045
EPSS Percentile: 0.17541

Identifiers: GHSA-c2xf-9v2r-r2rx, CVE-2024-55601
References:

Repository: https://github.com/gohugoio/hugo
Blast Radius: 0.0

Affected Packages

go:github.com/gohugoio/hugo

Dependent packages: 232
Dependent repositories: 210
Downloads:
Affected Version Ranges: >= 0.123.0, < 0.139.4
Fixed in: 0.139.4
All affected versions: 0.123.0, 0.123.1, 0.123.2, 0.123.3, 0.123.4, 0.123.5, 0.123.6, 0.123.7, 0.123.8, 0.124.0, 0.124.1, 0.125.0, 0.125.1, 0.125.2, 0.125.3, 0.125.4, 0.125.5, 0.125.6, 0.125.7, 0.126.0, 0.126.1, 0.126.2, 0.126.3, 0.127.0, 0.128.0, 0.128.1, 0.128.2, 0.129.0, 0.130.0, 0.131.0, 0.132.0, 0.132.1, 0.132.2, 0.133.0, 0.133.1, 0.134.0, 0.134.1, 0.134.2, 0.134.3, 0.135.0, 0.136.0, 0.136.1, 0.136.2, 0.136.3, 0.136.4, 0.136.5, 0.137.0, 0.137.1, 0.138.0, 0.139.0, 0.139.1, 0.139.2, 0.139.3
All unaffected versions: 0.18.1, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5, 0.20.6, 0.20.7, 0.22.1, 0.24.1, 0.25.1, 0.27.1, 0.30.1, 0.30.2, 0.31.1, 0.32.1, 0.32.2, 0.32.3, 0.32.4, 0.36.1, 0.37.1, 0.38.1, 0.38.2, 0.40.1, 0.40.2, 0.40.3, 0.42.1, 0.42.2, 0.45.1, 0.47.1, 0.49.1, 0.49.2, 0.54.0, 0.55.0, 0.55.1, 0.55.2, 0.55.3, 0.55.4, 0.55.5, 0.55.6, 0.56.0, 0.56.1, 0.56.2, 0.56.3, 0.57.0, 0.57.1, 0.57.2, 0.58.0, 0.58.1, 0.58.2, 0.58.3, 0.59.0, 0.59.1, 0.60.0, 0.60.1, 0.61.0, 0.62.0, 0.62.1, 0.62.2, 0.63.0, 0.63.1, 0.63.2, 0.64.0, 0.64.1, 0.65.0, 0.65.1, 0.65.2, 0.65.3, 0.66.0, 0.67.0, 0.67.1, 0.68.0, 0.68.1, 0.68.2, 0.68.3, 0.69.0, 0.69.1, 0.69.2, 0.70.0, 0.71.0, 0.71.1, 0.72.0, 0.73.0, 0.74.0, 0.74.1, 0.74.2, 0.74.3, 0.75.0, 0.75.1, 0.76.0, 0.76.1, 0.76.2, 0.76.3, 0.76.4, 0.76.5, 0.77.0, 0.78.0, 0.78.1, 0.78.2, 0.79.0, 0.79.1, 0.80.0, 0.81.0, 0.82.0, 0.82.1, 0.83.0, 0.83.1, 0.84.0, 0.84.1, 0.84.2, 0.84.3, 0.84.4, 0.85.0, 0.86.0, 0.86.1, 0.87.0, 0.88.0, 0.88.1, 0.89.0, 0.89.1, 0.89.2, 0.89.3, 0.89.4, 0.90.0, 0.90.1, 0.91.0, 0.91.1, 0.91.2, 0.92.0, 0.92.1, 0.92.2, 0.93.0, 0.93.1, 0.93.2, 0.93.3, 0.94.0, 0.94.1, 0.94.2, 0.95.0, 0.96.0, 0.97.0, 0.97.1, 0.97.2, 0.97.3, 0.98.0, 0.99.0, 0.99.1, 0.100.0, 0.100.1, 0.100.2, 0.101.0, 0.102.0, 0.102.1, 0.102.2, 0.102.3, 0.103.0, 0.103.1, 0.104.0, 0.104.1, 0.104.2, 0.104.3, 0.105.0, 0.106.0, 0.107.0, 0.108.0, 0.109.0, 0.110.0, 0.111.0, 0.111.1, 0.111.2, 0.111.3, 0.112.0, 0.112.1, 0.112.2, 0.112.3, 0.112.4, 0.112.5, 0.112.6, 0.112.7, 0.113.0, 0.114.0, 0.114.1, 0.115.0, 0.115.1, 0.115.2, 0.115.3, 0.115.4, 0.116.0, 0.116.1, 0.117.0, 0.118.0, 0.118.1, 0.118.2, 0.119.0, 0.120.0, 0.120.1, 0.120.2, 0.120.3, 0.120.4, 0.121.0, 0.121.1, 0.121.2, 0.122.0, 0.139.4, 0.139.5, 0.140.0, 0.140.1, 0.140.2, 0.141.0, 0.142.0