Skip to content

Some attributes not escaped in internal templates

Low
bep published GHSA-c2xf-9v2r-r2rx Dec 9, 2024

Package

gomod github.com/gohugoio/hugo (Go)

Affected versions

> v0.123.0

Patched versions

v0.139.4

Description

Impact

Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates.

  • _default/_markup/render-link.html from v0.123.0
  • _default/_markup/render-image.html from v0.123.0
  • _default/_markup/render-table.html from v0.134.0
  • shortcodes/youtube.html from v0.125.0

Patches

Patched in v0.139.4.

Workarounds

Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault

References

Severity

Low

CVE ID

CVE-2024-55601

Weaknesses

No CWEs

Credits