CVE-2023-29400

Summary

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

Affected Software

VendorProductVersion RangeStatus
Go standard libraryhtml/template0 < 1.19.9affected
Go standard libraryhtml/template1.20.0-0 < 1.20.4affected

Weaknesses

  • CWE-74: Improper input validation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References