VDB
CVE-2024-32875
CVE-2024-32875
PUBLISHED
CVSS 6.099999904632568 MEDIUM
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.
EPSS 0.21% · 43.5th percentile
Risk Scores
CVSS v3.1
6.099999904632568
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
0.21%
43.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| gohugo | hugo | 0.123.0 |
| github.com | gohugoio/hugo | 0.123.0 |
| gohugoio | hugo | >= 0.123.0, < 0.125.3 |
Timeline
- Jan 21, 1970 Security Advisory
- Apr 23, 2024 CVE Published
- Apr 24, 2024 EPSS Score
- May 19, 2024 EPSS Score
- Jun 13, 2024 EPSS Score
- Jul 8, 2024 EPSS Score
- Aug 1, 2024 EPSS Score
- Aug 26, 2024 EPSS Score
- Sep 20, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 14, 2024 EPSS Score
- Nov 8, 2024 EPSS Score
References
- https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj url
- https://github.com/gohugoio/hugo/releases/tag/v0.125.3 url
- https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault url
- https://nvd.nist.gov/vuln/detail/CVE-2024-32875 advisory
- https://github.com/gohugoio/hugo/commit/15a4b9b33715887001f6eff30721d41c0d4cfdd1 url
- https://github.com/gohugoio/hugo package
- https://pkg.go.dev/vuln/GO-2024-2747 url