Description
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
Remediation
References
https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987
Related Vulnerabilities
CVE-2020-28499 Vulnerability in maven package org.webjars.npm:merge
CVE-2022-0350 Vulnerability in npm package vditor
CVE-2021-25943 Vulnerability in npm package 101
CVE-2023-25653 Vulnerability in maven package org.webjars.npm:node-jose
CVE-2021-37533 Vulnerability in maven package commons-net:commons-net