CVE-2023-24539

Summary

Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.

Affected Software

VendorProductVersion RangeStatus
Go standard libraryhtml/template0 < 1.19.9affected
Go standard libraryhtml/template1.20.0-0 < 1.20.4affected

Weaknesses

  • CWE-74: Improper input validation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References