Vulnerability Report: GO-2023-1751

CVE-2023-24539
Affects: html/template
Published: May 05, 2023
Modified: Jun 12, 2023

Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.

Affected Packages

Path

Versions

Symbols
html/template

before go1.19.9, from go1.20.0-0 before go1.20.4
- Template.Execute
- Template.ExecuteTemplate

Aliases

CVE-2023-24539

References

https://golang.ir/issue/59720
https://golang.ir/cl/491615
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
https://vuln.go.dev/ID/GO-2023-1751.json

Credits

Juho Nurminen of Mattermost

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL