cbcvebase.
CVE-2023-29400
published 2023-05-11

CVE-2023-29400: Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed…

PriorityP340high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
1.04%
59.6th percentile
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

Affected

19 ranges
VendorProductVersion rangeFixed in
debiangolang-1.15
debiangolang-1.19
go_standard_libraryhtml_template< 1.19.91.19.9
go_standard_libraryhtml_template>= 1.20.0-0 < 1.20.41.20.4
golanggo< 1.19.91.19.9
golanggo>= 1.20.0 < 1.20.41.20.4
msrcazl3_gcc_13.2.0-7_on_azure_linux_3.0
msrcazl3_golang_1.20.7-1_on_azure_linux_3.0
msrcazl3_golang_1.24.3-1_on_azure_linux_3.0
msrcazl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0
msrcazl3_tensorflow_2.16.1-9_on_azure_linux_3.0
msrccbl2_golang_1.17.13-2_on_cbl_mariner_2.0
msrccbl2_golang_1.18.8-7_on_cbl_mariner_2.0
msrccbl2_golang_1.20.7-1_on_cbl_mariner_2.0
msrccbl2_golang_1.21.6-1_on_cbl_mariner_2.0
msrccbl2_msft-golang_1.20.7-1_on_cbl_mariner_2.0
msrccbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0
msrccbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0
paloaltopan-os

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
osv7.3HIGH
vendor_ubuntu7.5HIGH
vendor_debian7.3HIGH
vendor_msrc7.3HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.