Upstream information
Description
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
CNA (GitHub) | |
---|---|
Base Score | 5.3 |
Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Attack Vector | Network |
Attack Complexity | Low |
Attack Requirements | None |
Privileges Required | None |
User Interaction | Passive |
Vulnerable System Confidentiality Impact | None |
Vulnerable System Integrity Impact | None |
Vulnerable System Availability Impact | None |
Subsequent System Confidentiality Impact | Low |
Subsequent System Integrity Impact | Low |
Subsequent System Availability Impact | None |
CVSSv4 Version | 4.0 |
No SUSE Security Announcements cross referenced.
SUSE Timeline for this CVE
CVE page created: Tue Dec 10 00:00:23 2024CVE page last modified: Tue Dec 10 14:03:03 2024