Description
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
Remediation
References
https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987
Related Vulnerabilities
CVE-2020-7640 Vulnerability in npm package fun-map
CVE-2023-3672 Vulnerability in npm package webmention.js
CVE-2021-23328 Vulnerability in npm package iniparserjs
CVE-2008-5515 Vulnerability in maven package org.apache.tomcat:catalina
CVE-2022-24433 Vulnerability in maven package org.webjars.npm:simple-git