Vulnerability Report: GO-2023-2041

standard library

CVE-2023-39318
Affects: html/template
Published: Sep 07, 2023
Modified: May 20, 2024

The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.

Affected Packages

Path

Go Versions

Symbols
html/template

before go1.20.8, from go1.21.0-0 before go1.21.1
- Template.Execute
- Template.ExecuteTemplate

Aliases

CVE-2023-39318

References

https://go.dev/issue/62196
https://go.dev/cl/526156
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
https://vuln.go.dev/ID/GO-2023-2041.json

Credits

Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL