GSD-2021-25987
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-25987",
"description": "Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post \u201cbody\u201d and \u201ctags\u201d don\u2019t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.",
"id": "GSD-2021-25987"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-25987"
],
"details": "Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post \u201cbody\u201d and \u201ctags\u201d don\u2019t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.",
"id": "GSD-2021-25987",
"modified": "2023-12-13T01:23:21.100228Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"ID": "CVE-2021-25987",
"STATE": "PUBLIC",
"TITLE": "Hexo - Stored XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Hexo",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "5.4.0"
},
{
"version_affected": "\u003e",
"version_value": "0.0.1"
}
]
}
}
]
},
"vendor_name": "Hexo"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post \u201cbody\u201d and \u201ctags\u201d don\u2019t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200",
"refsource": "MISC",
"url": "https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200"
},
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987"
}
]
},
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=0.0.1 \u003c=5.4.0",
"affected_versions": "All versions starting from 0.0.1 up to 5.4.0",
"cvss_v2": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2021-11-30",
"description": "Hexo is vulnerable to stored XSS. The post `body` and `tags` don\u2019t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.",
"fixed_versions": [],
"identifier": "CVE-2021-25987",
"identifiers": [
"CVE-2021-25987"
],
"not_impacted": "",
"package_slug": "npm/hexo",
"pubdate": "2021-11-30",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-25987",
"https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200",
"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987"
],
"uuid": "30f33e91-88e7-48e3-ab27-d19f1f0f3946"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:hexo:hexo:*:*:*:*:*:node.js:*:*",
"cpe_name": [],
"versionEndIncluding": "5.4.0",
"versionStartIncluding": "0.0.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"ID": "CVE-2021-25987"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post \u201cbody\u201d and \u201ctags\u201d don\u2019t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200"
},
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 2.7
}
},
"lastModifiedDate": "2021-11-30T16:00Z",
"publishedDate": "2021-11-30T14:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…