Vulnerability Report: GO-2023-1753
standard library- CVE-2023-29400
- Affects: html/template
- Published: May 05, 2023
- Modified: May 20, 2024
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.19.9, from go1.20.0-0 before go1.20.4
Aliases
References
- https://go.dev/issue/59722
- https://go.dev/cl/491617
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- https://vuln.go.dev/ID/GO-2023-1753.json
Credits
- Juho Nurminen of Mattermost
Feedback
See anything missing or incorrect?
Suggest an edit to this report.