Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Hugo can execute a binary from the current directory on Windows
Vulnerability Description
Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
Gohugoio Hugo 操作系统命令注入漏洞
Vulnerability Description
Gohugoio Hugo是Gohugoio社区的一款基于Go语言用于快速生成静态站点的框架。 Hugo 0.79.1之前版本存在操作系统命令注入漏洞,该漏洞源于如果在运行Hugo时在当前工作目录中发现同名恶意文件(exe或bat),则会调用该恶意命令而不是系统命令。在不受信任的hugo网站中运行“hugo”的Windows用户将受到影响。
CVSS Information
N/A
Vulnerability Type
N/A