CVE-2024-32875

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-32875

Severity

6.1

Medium

CVSS V3

Summary

Hugo doesn't escape markdown title in internal render hooks

Description

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.

References

https://images.chainguard.dev/security/CGA-fh8j-hg45-wfv8
https://github.com/advisories/GHSA-ppf8-hhpp-f5hj
https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32875.json
https://github.com/gohugoio/hugo/releases/tag/v0.125.3
https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj
https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
https://nvd.nist.gov/vuln/detail/CVE-2024-32875

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2024-32875

Severity

Summary

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company