Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-39319

The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

Published

2023-09-08T17:15:27.910

Last Modified

2024-11-21T08:15:08.890

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	golang	go	< 1.20.8	Yes
Application	golang	go	< 1.21.1	Yes

References

https://go.dev/cl/526157 Patch ([email protected])
https://go.dev/issue/62197 Issue Tracking ([email protected])
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ Release Notes ([email protected])
https://pkg.go.dev/vuln/GO-2023-2043 Vendor Advisory ([email protected])
https://security.gentoo.org/glsa/202311-09 ([email protected])
https://security.netapp.com/advisory/ntap-20231020-0009/ Third Party Advisory ([email protected])
https://go.dev/cl/526157 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://go.dev/issue/62197 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://pkg.go.dev/vuln/GO-2023-2043 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202311-09 (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20231020-0009/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)