Source: hugo Version: 0.131.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for hugo. CVE-2024-55601[0]: | Hugo is a static site generator. Starting in version 0.123.0 and | prior to version 0.139.4, some HTML attributes in Markdown in the | internal templates listed below not escaped in internal render | hooks. Those whoa re impacted are Hugo users who do not trust their | Markdown content files and are using one or more of these templates: | `_default/_markup/render-link.html` from `v0.123.0`; | `_default/_markup/render-image.html` from `v0.123.0`; | `_default/_markup/render-table.html` from `v0.134.0`; and/or | `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in | v0.139.4. As a workaround, one may replace an affected component | with user defined templates or disable the internal templates. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-55601 https://www.cve.org/CVERecord?id=CVE-2024-55601 [1] https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx Regards, Salvatore
