CVE-2023-39319

MEDIUM severity · CVSS 6.1 · Cross-site scripting (XSS)

6.1CVSS MEDIUM

Summary

The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionRequired

Confidentiality impactLow

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products we track (1)

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Official patch: https://go.dev/cl/526157 ↗

Additional information

NVD record
https://go.dev/cl/526157Patch
https://go.dev/cl/526157Patch
https://pkg.go.dev/vuln/GO-2023-2043Advisory
https://go.dev/issue/62197
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20231020-0009/Advisory
https://go.dev/issue/62197