CVE-2021-25987

Hexo - Stored XSS

CVSS 5 MEDIUMEPSS 0.3%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

30 Nov 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

Hexo · Hexo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987