CVE-2024-55601 MEDIUM

CVE-2024-55601: Hugo does not escape some attributes in internal templates

Vendor Gohugoio

Product hugo

Weakness CWE-79 · XSS

Published December 9, 2024

Last update December 10, 2024

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.

Key dates

02Disclosure timeline

December 9, 2024 CVE published

December 10, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-55601 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2024-55601: Hugo does not escape some attributes in internal templates

01Description

02Disclosure timeline

03References

04Related CVE