Skip to content

Markdown title not escaped in internal render hooks

Low
bep published GHSA-ppf8-hhpp-f5hj Apr 23, 2024

Package

No package listed

Affected versions

>= v0.123.0

Patched versions

v0.125.3

Description

Impact

Title argument in Markdown for links and images not escaped in internal render hooks. Impacted are Hugo users who have these hooks enabled and do not trust their Markdown content files.

Patches

Patched in v0.125.3.

Workarounds

Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault

References

https://github.com/gohugoio/hugo/releases/tag/v0.125.3

Severity

Low

CVE ID

CVE-2024-32875

Weaknesses

Credits