The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
References
Link | Resource |
---|---|
https://go.dev/cl/526157 | Patch |
https://go.dev/issue/62197 | Issue Tracking |
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ | Release Notes |
https://pkg.go.dev/vuln/GO-2023-2043 | Vendor Advisory |
https://security.gentoo.org/glsa/202311-09 | |
https://security.netapp.com/advisory/ntap-20231020-0009/ | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Go
Published: 2023-09-08T16:13:28.663Z
Updated: 2023-09-08T16:13:28.663Z
Reserved: 2023-07-27T17:05:55.186Z
Link: CVE-2023-39319
JSON object: View
NVD Information
Status : Modified
Published: 2023-09-08T17:15:27.910
Modified: 2023-11-25T11:15:17.543
Link: CVE-2023-39319
JSON object: View
Redhat Information
No data.
CWE