Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
References
Link | Resource |
---|---|
https://go.dev/cl/491617 | Patch |
https://go.dev/issue/59722 | Issue Tracking Patch |
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU | Mailing List Release Notes |
https://pkg.go.dev/vuln/GO-2023-1753 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Go
Published: 2023-05-11T15:29:24.874Z
Updated: 2023-06-12T19:08:27.799Z
Reserved: 2023-04-05T19:36:35.042Z
Link: CVE-2023-29400
JSON object: View
NVD Information
Status : Modified
Published: 2023-05-11T16:15:09.850
Modified: 2023-11-07T04:11:10.393
Link: CVE-2023-29400
JSON object: View
Redhat Information
No data.
CWE