Vulnerability Report: GO-2023-2043

CVE-2023-39319
Affects: html/template
Published: Sep 07, 2023

The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

Affected Packages

Path

Versions

Symbols
html/template

before go1.20.8, from go1.21.0-0 before go1.21.1
- Template.Execute
- Template.ExecuteTemplate

Aliases

CVE-2023-39319

References

https://go.dev/issue/62197
https://go.dev/cl/526157
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
https://vuln.go.dev/ID/GO-2023-2043.json

Credits

Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL