cbcvebase.
CVE-2023-3978
published 2023-08-02

CVE-2023-3978: Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.84%
53.3th percentile
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
canonicallxd>= 0 < 2.0.11-0ubuntu1~16.04.4+esm22.0.11-0ubuntu1~16.04.4+esm2
canonicallxd>= 0 < 3.0.3-0ubuntu1~18.04.2+esm23.0.3-0ubuntu1~18.04.2+esm2
debiangolang-golang-x-net< golang-golang-x-net 1:0.14.0-1 (forky)golang-golang-x-net 1:0.14.0-1 (forky)
golang.orgx_net>= 0 < 0.13.00.13.0
golang.orgx_net_golang.org_x_net_html< 0.13.00.13.0
golangnetworking< 0.13.00.13.0
msrcazl3_application-gateway-kubernetes-ingress_1.7.2-3
msrcazl3_application-gateway-kubernetes-ingress_1.7.7-1
msrcazl3_cert-manager_1.11.2-8
msrcazl3_cert-manager_1.12.12-1
msrcazl3_cloud-provider-kubevirt_0.5.1-1
msrcazl3_containerized-data-importer_1.57.0-12
msrcazl3_containerized-data-importer_1.57.0-14
msrcazl3_kubevirt_0.59.0-14
msrcazl3_kubevirt_1.2.0-1
msrcazl3_multus_4.0.2-2
msrcazl3_multus_4.0.2-5
msrcazl3_prometheus-adapter_0.11.2-1
msrcazl3_prometheus-adapter_0.12.0-1
msrcazl3_telegraf_1.27.3-4
msrcazl3_telegraf_1.29.4-1
msrcazl3_vitess_17.0.2-1
msrcazl3_vitess_19.0.4-2
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.