Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xNTRyLXI5cHItdzdxds0Ylg
Hexo Vulnerable to XSS
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
Permalink: https://github.com/advisories/GHSA-q54r-r9pr-w7qvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xNTRyLXI5cHItdzdxds0Ylg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 4.6
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-q54r-r9pr-w7qv, CVE-2021-25987
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-25987
- https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987
- https://github.com/hexojs/hexo/issues/4838
- https://github.com/hexojs/hexo/pull/4750
- https://github.com/advisories/GHSA-q54r-r9pr-w7qv
Blast Radius: 19.9
Affected Packages
npm:hexo
Dependent packages: 368Dependent repositories: 21,451
Downloads: 118,736 last month
Affected Version Ranges: >= 0.0.1, <= 5.4.0
Fixed in: 6.0.0
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.9, 0.5.10, 0.5.11, 0.5.12, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.5, 3.3.7, 3.3.8, 3.3.9, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.6.0, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.4.0
All unaffected versions: 5.4.1, 5.4.2, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 7.0.0, 7.1.0, 7.1.1, 7.2.0, 7.3.0