CVE-2024-32875 MEDIUM

CVE-2024-32875: Hugo doesn't escape markdown title in internal render hooks

Vendor Gohugoio
Product hugo
Weakness CWE-80 · XSS · basic
Published April 23, 2024
Last update August 2, 2024

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.

Key dates

02Disclosure timeline

April 23, 2024 CVE published
August 2, 2024 Record updated