CVE-2023-24538Code Injection in Standard Library Html Template

CWE-94Code Injection13 documents8 sources
Severity
9.8CRITICALNVD
EPSS
0.7%
top 29.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GO Standard Library Html TemplateGolang GOZabbix
Timeline
PublishedApr 6
Latest updateOct 10

Description

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5go_standard_library/html_template1.20.0-01.20.3+1
NVDgolang/go1.20.01.20.3+1
CVEListV5zabbix/zabbix5.0.05.0.34+2

Patches

Patch: go.devPatch: go.devPatch: go.dev

🔴Vulnerability Details

5
OSV
golang-1.17 vulnerabilities2024-10-10
OSV
CVE-2023-24538: Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected2023-04-06
CVEList
Backticks not treated as string delimiters in html/template2023-04-06
GHSA
GHSA-v4m2-x4rp-hv22: Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected2023-04-06
OSV
Backticks not treated as string delimiters in html/template2023-04-05

📋Vendor Advisories

7
Ubuntu
Go vulnerabilities2024-10-10
Ubuntu
Go vulnerabilities2024-01-09
Ubuntu
Go vulnerabilities2023-06-06
Ubuntu
Go vulnerabilities2023-04-25
Microsoft
Backticks not treated as string delimiters in html/template2023-04-11
CVE-2023-24538 — Code Injection | cvebase