Product<\/strong>: hugocms
Affected Version<\/strong>: (latest as of 25.09.2023; commit 77443d6)
Vulnerability Type<\/strong>: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk<\/strong>: HIGH
Vendor URL<\/strong>: https:\/\/hugoeditor.com\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
Advisory Status<\/strong>: Published
CVE Number<\/strong>: CVE-2023-49324
First Published<\/strong>: 2024-07-18
Last Update<\/strong>: 2024-07-18<\/p>\n
Desciption<\/h3>\n
The application hugocms<\/em>, developed by Inter-Data, provides a frontend for the static site generator hugo<\/em> to manage posts and other aspects of the site. The application does not provide any access-control mechanism and recommends to restrict access via a web server's basic auth capabilities.<\/p>\n Attackers that are able to create files can trigger an XSS vulnerability by creating a file that contains an XSS payload in its filename. Since the application supports versioning via git in its paid version, the vulnerability might be exploitable by an attacker with access to the remote git repository.<\/p>\n Use the \"New file\" button to create a file named:\u00a0<\/p>\n The XSS is triggered in the file listing, as shown in the following screenshot.<\/p>\n This security vulnerability was identified by Florian Dewald of usd AG.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2023-0033 | Cross-Site Scripting in hugocms Advisory ID: usd-2023-0033Product: hugocmsAffected Version: (latest as of 25.09.2023; commit 77443d6)Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Security Risk: HIGHVendor URL: https:\/\/hugoeditor.com\/Vendor acknowledged vulnerability: YesVendor Status: FixedAdvisory Status: PublishedCVE Number: CVE-2023-49324First Published: 2024-07-18Last Update: 2024-07-18 Desciption The application hugocms, developed by Inter-Data, provides a […]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-22931","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=22931"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22931\/revisions"}],"predecessor-version":[{"id":23071,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22931\/revisions\/23071"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=22931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Proof of Concept<\/h3>\n
![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2024\/07\/hugocms_xss-filename-300x119.png\")
<\/p>\nTimeline<\/h3>\n
\n
Credits<\/h3>\n