blob: 156cec18b2e78cd5eab9dfa86ebdbde60fcc40a3 [file] [log] [blame]
id: GO-2023-1752
modules:
- module: std
versions:
- fixed: 1.19.9
- introduced: 1.20.0-0
- fixed: 1.20.4
vulnerable_at: 1.20.3
packages:
- package: html/template
symbols:
- nextJSCtx
derived_symbols:
- Template.Execute
- Template.ExecuteTemplate
summary: Improper handling of JavaScript whitespace in html/template
description: |-
Not all valid JavaScript whitespace characters are considered to be whitespace.
Templates containing whitespace characters outside of the character set
"\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions
may not be properly sanitized during execution.
credits:
- Juho Nurminen of Mattermost
references:
- report: https://go.dev/issue/59721
- fix: https://go.dev/cl/491616
- web: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
cve_metadata:
id: CVE-2023-24540
cwe: 'CWE-74: Improper input validation'
review_status: REVIEWED