Vulnerability Details : CVE-2021-25987
Hexo versions 0.0.1 to 5.4.0 are vulnerable against stored XSS. The post “body” and “tags” don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2021-25987
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 10 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-25987
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
1.9
|
LOW | AV:L/AC:M/Au:N/C:N/I:P/A:N |
3.4
|
2.9
|
NIST |
|
4.6
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
1.5
|
2.7
|
NIST |
|
5.0
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
1.8
|
2.7
|
Mend |
CWE ids for CVE-2021-25987
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- vulnerabilitylab@mend.io (Secondary)
References for CVE-2021-25987
-
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987
CVE-2021-25987 | WhiteSource Vulnerability DatabaseThird Party Advisory
-
https://github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200
Escape HTML by default in list_tag · hexojs/hexo@5170df2 · GitHubPatch;Third Party Advisory
Products affected by CVE-2021-25987
- cpe:2.3:a:hexo:hexo:*:*:*:*:*:node.js:*:*