Description

Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

Remediation

References

https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987

Related Vulnerabilities

CVE-2022-41376 Vulnerability in npm package metro4

CVE-2018-8038 Vulnerability in maven package org.apache.cxf.fediz:fediz-core

CVE-2023-45134 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2018-3721 Vulnerability in maven package org.webjars.npm:lodash.mergewith

CVE-2023-28155 Vulnerability in maven package org.webjars.npm:request

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Patch Third Party Advisory