data/reports/GO-2023-1751.yaml

id: GO-2023-1751
modules:
    - module: std
      versions:
        - fixed: 1.19.9
        - introduced: 1.20.0-0
          fixed: 1.20.4
      vulnerable_at: 1.20.3
      packages:
        - package: html/template
          symbols:
            - cssValueFilter
            - escaper.commit
          derived_symbols:
            - Template.Execute
            - Template.ExecuteTemplate
summary: Improper sanitization of CSS values in html/template
description: |-
    Angle brackets (<>) are not considered dangerous characters when inserted into
    CSS contexts. Templates containing multiple actions separated by a '/' character
    can result in unexpectedly closing the CSS context and allowing for injection of
    unexpected HTML, if executed with untrusted input.
credits:
    - Juho Nurminen of Mattermost
references:
    - report: https://go.dev/issue/59720
    - fix: https://go.dev/cl/491615
    - web: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
cve_metadata:
    id: CVE-2023-24539
    cwe: 'CWE-74: Improper input validation'