| { |
| "schema_version": "1.3.1", |
| "id": "GO-2023-2041", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2023-39318" |
| ], |
| "summary": "Improper handling of HTML-like comments in script contexts in html/template", |
| "details": "The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in \u003cscript\u003e contexts. This may cause the template parser to improperly interpret the contents of \u003cscript\u003e contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.", |
| "affected": [ |
| { |
| "package": { |
| "name": "stdlib", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.20.8" |
| }, |
| { |
| "introduced": "1.21.0-0" |
| }, |
| { |
| "fixed": "1.21.1" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "html/template", |
| "symbols": [ |
| "Template.Execute", |
| "Template.ExecuteTemplate", |
| "escaper.escapeText", |
| "isComment", |
| "tJS", |
| "tLineCmt" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "REPORT", |
| "url": "https://go.dev/issue/62196" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://go.dev/cl/526156" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2023-2041" |
| } |
| } |