CVE-2023-29400
Severity CVSS v4.0:
Pending analysis
Type:
CWE-74
Injection
Publication date:
11/05/2023
Last modified:
24/01/2025
Description
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Impact
Base Score 3.x
7.30
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* | 1.19.9 (excluding) | |
| cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* | 1.20.0 (including) | 1.20.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://go.dev/cl/491617
- https://go.dev/issue/59722
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- https://pkg.go.dev/vuln/GO-2023-1753
- https://go.dev/cl/491617
- https://go.dev/issue/59722
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- https://pkg.go.dev/vuln/GO-2023-1753
- https://security.netapp.com/advisory/ntap-20241213-0005/