CVE-2023-24540
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Go standard library | html/template | 0 < 1.19.9 | affected |
| Go standard library | html/template | 1.20.0-0 < 1.20.4 | affected |
Weaknesses
- CWE-74: Improper input validation
ADP Enrichment
CVE Program Container
Additional References
- https://go.dev/issue/59721
- https://go.dev/cl/491616
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- https://pkg.go.dev/vuln/GO-2023-1752
- https://security.netapp.com/advisory/ntap-20241115-0008/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://go.dev/issue/59721
- https://go.dev/cl/491616
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- https://pkg.go.dev/vuln/GO-2023-1752
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.