| { |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0", |
| "cveMetadata": { |
| "cveId": "CVE-2023-39318" |
| }, |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc" |
| }, |
| "title": "Improper handling of HTML-like comments in script contexts in html/template", |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in \u003cscript\u003e contexts. This may cause the template parser to improperly interpret the contents of \u003cscript\u003e contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack." |
| } |
| ], |
| "affected": [ |
| { |
| "vendor": "Go standard library", |
| "product": "html/template", |
| "collectionURL": "https://pkg.go.dev", |
| "packageName": "html/template", |
| "versions": [ |
| { |
| "version": "0", |
| "lessThan": "1.20.8", |
| "status": "affected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "1.21.0-0", |
| "lessThan": "1.21.1", |
| "status": "affected", |
| "versionType": "semver" |
| } |
| ], |
| "programRoutines": [ |
| { |
| "name": "isComment" |
| }, |
| { |
| "name": "escaper.escapeText" |
| }, |
| { |
| "name": "tJS" |
| }, |
| { |
| "name": "tLineCmt" |
| }, |
| { |
| "name": "Template.Execute" |
| }, |
| { |
| "name": "Template.ExecuteTemplate" |
| } |
| ], |
| "defaultStatus": "unaffected" |
| } |
| ], |
| "problemTypes": [ |
| { |
| "descriptions": [ |
| { |
| "lang": "en", |
| "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://go.dev/issue/62196" |
| }, |
| { |
| "url": "https://go.dev/cl/526156" |
| }, |
| { |
| "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" |
| }, |
| { |
| "url": "https://pkg.go.dev/vuln/GO-2023-2041" |
| }, |
| { |
| "url": "https://security.netapp.com/advisory/ntap-20231020-0009/" |
| }, |
| { |
| "url": "https://security.gentoo.org/glsa/202311-09" |
| } |
| ], |
| "credits": [ |
| { |
| "lang": "en", |
| "value": "Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)" |
| } |
| ] |
| } |
| } |
| } |