CVE-2024-55601: Hugo does not escape some attributes in internal templates
(updated )
Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates.
_default/_markup/render-link.htmlfromv0.123.0_default/_markup/render-image.htmlfromv0.123.0_default/_markup/render-table.htmlfromv0.134.0shortcodes/youtube.htmlfromv0.125.0
References
- github.com/advisories/GHSA-c2xf-9v2r-r2rx
- github.com/gohugoio/hugo
- github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0
- github.com/gohugoio/hugo/releases/tag/v0.139.4
- github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx
- gohugo.io/getting-started/configuration-markup/
- nvd.nist.gov/vuln/detail/CVE-2024-55601
Detect and mitigate CVE-2024-55601 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →