Vulnerability Report: GO-2023-1753

CVE-2023-29400
Affects: html/template
Published: May 05, 2023
Modified: Jun 12, 2023

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

Affected Packages

Path

Versions

Symbols
html/template

before go1.19.9, from go1.20.0-0 before go1.20.4
- Template.Execute
- Template.ExecuteTemplate

Aliases

CVE-2023-29400

References

https://golang.ir/issue/59722
https://golang.ir/cl/491617
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
https://vuln.go.dev/ID/GO-2023-1753.json

Credits

Juho Nurminen of Mattermost

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL