CVE-2021-25987 Vulnerability in npm package hexo

Description

Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

Remediation

References

https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987

Related Vulnerabilities

CVE-2020-36632 Vulnerability in maven package org.webjars.npm:flat

CVE-2022-25858 Vulnerability in npm package terser

CVE-2020-36732 Vulnerability in maven package org.webjars.bower:crypto-js

CVE-2018-8032 Vulnerability in maven package org.apache.axis:axis

CVE-2023-31133 Vulnerability in npm package ghost

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N