Hugo Fixes Security Vulnerability in Markdown Rendering
CVE-2024-32875

6.1MEDIUM

Key Information:

Vendor

Gohugoio

Status
Hugo
Vendor
CVE Published:
23 April 2024

What is CVE-2024-32875?

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.

Affected Version(s)

hugo >= 0.123.0, < 0.125.3

References

https://github.com/gohugoio/hugo/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/gohugoio/hugo/releases/tag/v0.125.3
x_refsource_MISC
https://gohugo.io/getting-started/configuration-markup/#r...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.