CVE-2021-25987: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

November 30, 2021

Hexo is vulnerable to stored XSS. The post body and tags don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

References

github.com/hexojs/hexo/commit/5170df2d3fa9c69e855c4b7c2b084ebfd92d5200
nvd.nist.gov/vuln/detail/CVE-2021-25987
www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25987

Code Behaviors & Features

Detect and mitigate CVE-2021-25987 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →