CVE-2021-25987

Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post body and tags dont sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
MendCNA
5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
VendorProductVersion
hexohexo
0.0.1 ≤
𝑥
≤ 5.4.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987
https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987