x/vulndb: potential Go vuln in github.com/gohugoio/hugo: CVE-2024-32875

GoVulnBot commented 4 months ago

CVE-2024-32875 references github.com/gohugoio/hugo, which may be a Go module.

Description: Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.

References:

Cross references:

Module github.com/gohugoio/hugo appears in issue #764 DEPENDENT_VULNERABILITY

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/gohugoio/hugo
      vulnerable_at: 0.125.3
      packages:
        - package: hugo
summary: CVE-2024-32875 in github.com/gohugoio/hugo
cves:
    - CVE-2024-32875
references:
    - advisory: https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj
    - web: https://github.com/gohugoio/hugo/releases/tag/v0.125.3
    - web: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
source:
    id: CVE-2024-32875

gopherbot commented 3 months ago

Change https://go.dev/cl/586484 mentions this issue: data/reports: add 73 unreviewed reports

gopherbot commented 2 months ago

Change https://go.dev/cl/590039 mentions this issue: data/reports: add 51 reports

gopherbot commented 1 month ago

Change https://go.dev/cl/598592 mentions this issue: data/excluded,data/reports: review 2 reports, add GO-2024-2983

golang / vulndb

x/vulndb: potential Go vuln in github.com/gohugoio/hugo: CVE-2024-32875 #2747