CVE-2024-25865

Vulnerability

Description

[1] A Cross-Site Scripting (XSS) vulnerability exists in hexo-theme-anzhiyu version 1.6.12 via the algolia search function. The root cause is that the theme's Algolia JavaScript file does not sanitize search results before displaying them in the DOM [3]. This allows an attacker to inject arbitrary HTML and JavaScript code that will be executed when any user visits a page using the affected search feature.

Exploitation

The vulnerability can be triggered without authentication by crafting a search query containing malicious payloads such as `` [3]. When the Algolia search function returns results containing injected code, the theme renders them directly into the page, executing the payload in the context of the victim's browser. Numerous public sites using the theme with Algolia enabled are confirmed affected [3].

Impact

Successful exploitation allows remote attackers to execute arbitrary JavaScript in the context of the victim's session. This can lead to data theft (cookies, session tokens), defacement, or redirection to malicious sites. The vulnerability is classified as XSS and has been reported in the project's issue tracker [3]. As of the reference date, no official patch or workaround is documented in the advisory [1].

Mitigation

Status

While the vendor's repository is active, the issue report (from February 2024) remains open without a published fix [3]. Users are advised to either disable the Algolia search feature, implement output filtering in the theme's JavaScript, or monitor the repository for a security update.