Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wcGY4LWhocHAtZjVoas4AA7QS
Hugo Markdown titles do not escaped in internal render hooks
Impact
Title argument in Markdown for links and images not escaped in internal render hooks. Impacted are Hugo users who have these hooks enabled and do not trust their Markdown content files.
Patches
Patched in v0.125.3.
Workarounds
Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
References
https://github.com/gohugoio/hugo/releases/tag/v0.125.3
Permalink: https://github.com/advisories/GHSA-ppf8-hhpp-f5hjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcGY4LWhocHAtZjVoas4AA7QS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 4 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-ppf8-hhpp-f5hj, CVE-2024-32875
References:
- https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj
- https://github.com/gohugoio/hugo/commit/15a4b9b33715887001f6eff30721d41c0d4cfdd1
- https://github.com/gohugoio/hugo/releases/tag/v0.125.3
- https://nvd.nist.gov/vuln/detail/CVE-2024-32875
- https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
- https://pkg.go.dev/vuln/GO-2024-2747
- https://github.com/advisories/GHSA-ppf8-hhpp-f5hj
Blast Radius: 14.2
Affected Packages
go:github.com/gohugoio/hugo
Dependent packages: 232Dependent repositories: 210
Downloads:
Affected Version Ranges: >= 0.123.0, < 0.125.3
Fixed in: 0.125.3
All affected versions: 0.123.0, 0.123.1, 0.123.2, 0.123.3, 0.123.4, 0.123.5, 0.123.6, 0.123.7, 0.123.8, 0.124.0, 0.124.1, 0.125.0, 0.125.1, 0.125.2
All unaffected versions: 0.18.1, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5, 0.20.6, 0.20.7, 0.22.1, 0.24.1, 0.25.1, 0.27.1, 0.30.1, 0.30.2, 0.31.1, 0.32.1, 0.32.2, 0.32.3, 0.32.4, 0.36.1, 0.37.1, 0.38.1, 0.38.2, 0.40.1, 0.40.2, 0.40.3, 0.42.1, 0.42.2, 0.45.1, 0.47.1, 0.49.1, 0.49.2, 0.54.0, 0.55.0, 0.55.1, 0.55.2, 0.55.3, 0.55.4, 0.55.5, 0.55.6, 0.56.0, 0.56.1, 0.56.2, 0.56.3, 0.57.0, 0.57.1, 0.57.2, 0.58.0, 0.58.1, 0.58.2, 0.58.3, 0.59.0, 0.59.1, 0.60.0, 0.60.1, 0.61.0, 0.62.0, 0.62.1, 0.62.2, 0.63.0, 0.63.1, 0.63.2, 0.64.0, 0.64.1, 0.65.0, 0.65.1, 0.65.2, 0.65.3, 0.66.0, 0.67.0, 0.67.1, 0.68.0, 0.68.1, 0.68.2, 0.68.3, 0.69.0, 0.69.1, 0.69.2, 0.70.0, 0.71.0, 0.71.1, 0.72.0, 0.73.0, 0.74.0, 0.74.1, 0.74.2, 0.74.3, 0.75.0, 0.75.1, 0.76.0, 0.76.1, 0.76.2, 0.76.3, 0.76.4, 0.76.5, 0.77.0, 0.78.0, 0.78.1, 0.78.2, 0.79.0, 0.79.1, 0.80.0, 0.81.0, 0.82.0, 0.82.1, 0.83.0, 0.83.1, 0.84.0, 0.84.1, 0.84.2, 0.84.3, 0.84.4, 0.85.0, 0.86.0, 0.86.1, 0.87.0, 0.88.0, 0.88.1, 0.89.0, 0.89.1, 0.89.2, 0.89.3, 0.89.4, 0.90.0, 0.90.1, 0.91.0, 0.91.1, 0.91.2, 0.92.0, 0.92.1, 0.92.2, 0.93.0, 0.93.1, 0.93.2, 0.93.3, 0.94.0, 0.94.1, 0.94.2, 0.95.0, 0.96.0, 0.97.0, 0.97.1, 0.97.2, 0.97.3, 0.98.0, 0.99.0, 0.99.1, 0.100.0, 0.100.1, 0.100.2, 0.101.0, 0.102.0, 0.102.1, 0.102.2, 0.102.3, 0.103.0, 0.103.1, 0.104.0, 0.104.1, 0.104.2, 0.104.3, 0.105.0, 0.106.0, 0.107.0, 0.108.0, 0.109.0, 0.110.0, 0.111.0, 0.111.1, 0.111.2, 0.111.3, 0.112.0, 0.112.1, 0.112.2, 0.112.3, 0.112.4, 0.112.5, 0.112.6, 0.112.7, 0.113.0, 0.114.0, 0.114.1, 0.115.0, 0.115.1, 0.115.2, 0.115.3, 0.115.4, 0.116.0, 0.116.1, 0.117.0, 0.118.0, 0.118.1, 0.118.2, 0.119.0, 0.120.0, 0.120.1, 0.120.2, 0.120.3, 0.120.4, 0.121.0, 0.121.1, 0.121.2, 0.122.0, 0.125.3, 0.125.4, 0.125.5, 0.125.6, 0.125.7, 0.126.0, 0.126.1, 0.126.2, 0.126.3, 0.127.0, 0.128.0, 0.128.1, 0.128.2, 0.129.0, 0.130.0, 0.131.0, 0.132.0, 0.132.1, 0.132.2, 0.133.0, 0.133.1, 0.134.0, 0.134.1, 0.134.2, 0.134.3, 0.135.0, 0.136.0, 0.136.1, 0.136.2, 0.136.3, 0.136.4, 0.136.5, 0.137.0, 0.137.1, 0.138.0, 0.139.0