Bug 1223309 (CVE-2024-32875) - VUL-0: CVE-2024-32875: hugo: XSS injection from Markdown content files (release v0.125.3)
Summary: VUL-0: CVE-2024-32875: hugo: XSS injection from Markdown content files (relea...
Status: IN_PROGRESS
Alias: CVE-2024-32875
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.5
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Jeff Kowalczyk
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/402924/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-23 13:51 UTC by Alexander Bergmann
Modified: 2024-04-24 08:14 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2024-04-23 13:51:08 UTC 
v0.125.3

This release fixes a security issue reported by @ejona86 (see #12411) that could allow XSS injection from Markdown content files if one of the internal link or image render hook templates added in Hugo 0.123.0 are enabled. You typically control and trust the content files, but according to Hugo's security model, we state that "template and configuration authors (you) are trusted, but the data you send in is not."

 markup/goldmark: Fix data race in the hugocontext wrapper 509ab08 @bep
 tpl: Escape .Title in built-in image and link render hooks 15a4b9b @bep
 tpl/tplimpl: Improve embedded templates 10a8448 @jmooring #12396
 SECURITY.md: Update link to security model 722c486 @ejona86
 modules: Fix potential infinite loop in module collection f40f50e @bep #12407

References:
https://github.com/gohugoio/hugo/releases/tag/v0.125.3
Comment 1 Jeff Kowalczyk 2024-04-23 14:00:34 UTC 
Version containing fix has been submitted to Factory with a reference to this issue.
Comment 2 OBSbugzilla Bot 2024-04-23 14:35:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1223309) was mentioned in
https://build.opensuse.org/request/show/1169894 Factory / hugo
Comment 3 Marcus Rückert 2024-04-23 15:06:46 UTC 
dont forget backports sp6