Vulnerability Report: GO-2023-1751
- CVE-2023-24539
- Affects: html/template
- Published: May 05, 2023
- Modified: May 20, 2024
Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.
Affected Packages
-
PathVersionsSymbols
-
before go1.19.9, from go1.20.0-0 before go1.20.4
Aliases
References
- https://go.dev/issue/59720
- https://go.dev/cl/491615
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- https://vuln.go.dev/ID/GO-2023-1751.json
Credits
- Juho Nurminen of Mattermost
Feedback
See anything missing or incorrect?
Suggest an edit to this report.