CVE-2023-39319Cross-site Scripting in Standard Library Html Template

CWE-79Cross-site Scripting12 documents8 sources
Severity
6.1MEDIUMNVD
EPSS
0.1%
top 71.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GO Standard Library Html TemplateGolang GO
Timeline
PublishedSep 8
Latest updateNov 14

Description

The html/template package does not apply the proper rules for handling occurrences of " contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5go_standard_library/html_template1.21.0-01.21.1+1
NVDgolang/go1.21.01.21.1+1

Patches

Patch: go.devPatch: go.dev

🔴Vulnerability Details

5
OSV
Go vulnerabilities2024-01-11
CVEList
Improper handling of special tags within script contexts in html/template2023-09-08
OSV
CVE-2023-39319: The html/template package does not apply the proper rules for handling occurrences of " contexts2023-09-08
GHSA
GHSA-vv9m-32rr-3g55: The html/template package does not apply the proper rules for handling occurrences of " contexts2023-09-08
OSV
Improper handling of special tags within script contexts in html/template2023-09-07

📋Vendor Advisories

6
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-10-10
Ubuntu
Go vulnerabilities2024-01-11
Microsoft
Improper handling of special tags within script contexts in html/template2023-09-12
Red Hat
golang: html/template: improper handling of special tags within script contexts2023-09-06
CVE-2023-39319 — Cross-site Scripting | cvebase