CVE-2023-39318Cross-site Scripting in Standard Library Html Template

CWE-79Cross-site Scripting12 documents8 sources
Severity
6.1MEDIUMNVD
EPSS
0.1%
top 71.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GO Standard Library Html TemplateGolang GO
Timeline
PublishedSep 8
Latest updateNov 14

Description

The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5go_standard_library/html_template1.21.0-01.21.1+1
NVDgolang/go1.21.01.21.1+1

Patches

Patch: go.devPatch: go.dev

🔴Vulnerability Details

5
OSV
Go vulnerabilities2024-01-11
GHSA
GHSA-vq7j-gx56-rxjh: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts2023-09-08
CVEList
Improper handling of HTML-like comments in script contexts in html/template2023-09-08
OSV
CVE-2023-39318: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts2023-09-08
OSV
Improper handling of HTML-like comments in script contexts in html/template2023-09-07

📋Vendor Advisories

6
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-10-10
Ubuntu
Go vulnerabilities2024-01-11
Microsoft
Improper handling of HTML-like comments in script contexts in html/template2023-09-12
Red Hat
golang: html/template: improper handling of HTML-like comments within script contexts2023-09-06
CVE-2023-39318 — Cross-site Scripting | cvebase