MidnightBSD

Advisories for hexo

CVE-2021-25987 LOW

Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 1.5 2.7
vulnerabilitylab@mend.io 5.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 1.8 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
hexo hexo *
CVE-2023-39584

Hexo up to v7.0.0 (RC2) was discovered to contain an arbitrary file read vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
hexo hexo *
hexo hexo 7.0.0