2276799 – (CVE-2024-32875) CVE-2024-32875 hugo: title arguments in Markdown for links and images not escaped in internal render hooks

Bug 2276799 (CVE-2024-32875) - CVE-2024-32875 hugo: title arguments in Markdown for links and images not escaped in internal render hooks

Summary: CVE-2024-32875 hugo: title arguments in Markdown for links and images not esc...

Keywords:
Status:	NEW
Alias:	CVE-2024-32875
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2276800
Blocks:
TreeView+	depends on / blocked

Reported:	2024-04-24 04:21 UTC by Rohit Keshri
Modified:	2024-04-24 04:21 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-04-24 04:21:13 UTC

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.

https://github.com/gohugoio/hugo/releases/tag/v0.125.3
https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj
https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault

Comment 1 Rohit Keshri 2024-04-24 04:21:29 UTC

Created hugo tracking bugs for this issue:

Affects: fedora-all [bug 2276800]

Note You need to log in before you can comment on or make changes to this bug.