Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affecting github.com/gohugoio/hugo/tpl/tplimpl/embedded package, versions >=0.123.0 <0.125.3
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGOHUGOIOHUGOTPLTPLIMPLEMBEDDED-6672878
- published 24 Apr 2024
- disclosed 23 Apr 2024
- credit Eric Anderson
Introduced: 23 Apr 2024
New CVE-2024-32875 Open this link in a new tabHow to fix?
Upgrade github.com/gohugoio/hugo/tpl/tplimpl/embedded to version 0.125.3 or higher.
Overview
Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') due to the improper handling of Markdown titles in internal render hooks. An attacker can inject malicious code into Markdown files that, when processed by Hugo, can lead to cross-site scripting (XSS) if the internal render hooks are enabled and the Markdown content files are not trusted.
Note:
This is only exploitable if internal render hooks are enabled and the user does not trust their Markdown content files.
Workaround
This vulnerability can be mitigated by replacing with user-defined templates or disabling the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault