Home > Vulnerability Database > CVE-2024-32875

Mend.io Vulnerability Database

CVE-2024-32875

Good to know:

Date: April 23, 2024

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.

Language: Go

Severity Score

7.5

Related Resources (6)

Url: https://github.com/gohugoio/hugo/releases/tag/v0.125.3

Url: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-32875

Url: https://security-tracker.debian.org/tracker/CVE-2024-32875

Url: https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj

Url: https://www.mend.io/vulnerability-database/CVE-2024-32875

Severity Score

7.5

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-80

Top Fix

Upgrade Version

Upgrade to version v0.125.3

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-32875

Good to know:

Date: April 23, 2024

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?