Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.
References
Link | Resource |
---|---|
https://go.dev/cl/491615 | Patch |
https://go.dev/issue/59720 | Issue Tracking Patch |
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU | Mailing List Release Notes |
https://pkg.go.dev/vuln/GO-2023-1751 | Vendor Advisory |
Configurations
History
22 May 2023, 18:22
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU - Mailing List, Release Notes | |
References | (MISC) https://go.dev/issue/59720 - Issue Tracking, Patch | |
References | (MISC) https://pkg.go.dev/vuln/GO-2023-1751 - Vendor Advisory | |
References | (MISC) https://go.dev/cl/491615 - Patch | |
CPE | cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.3 |
First Time |
Golang
Golang go |
|
CWE | CWE-74 |
11 May 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-05-11 16:15
Updated : 2023-12-10 15:01
NVD link : CVE-2023-24539
Mitre link : CVE-2023-24539
CVE.ORG link : CVE-2023-24539
JSON object : View
Products Affected
golang
- go
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')