CVE-2024-24785Injection in Standard Library Html Template

CWE-74Injection11 documents8 sources
Severity
5.4MEDIUMNVD
EPSS
1.3%
top 20.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Standard Library Html Template
Timeline
PublishedMar 5
Latest updateNov 14

Description

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

CVEListV5go_standard_library/html_template1.22.0-01.22.1+1

🔴Vulnerability Details

4
GHSA
GHSA-j6m3-gc37-6r6q: If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/2024-03-06
OSV
CVE-2024-24785: If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/2024-03-05
CVEList
Errors returned from JSON marshaling may break template escaping in html/template2024-03-05
OSV
Errors returned from JSON marshaling may break template escaping in html/template2024-03-05

📋Vendor Advisories

6
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-10-10
Ubuntu
Go vulnerabilities2024-07-09
Microsoft
Errors returned from JSON marshaling may break template escaping in html/template2024-03-12
Red Hat
golang: html/template: errors returned from MarshalJSON methods may break template escaping2024-03-05
CVE-2024-24785 — Injection | cvebase