Go html/template XSS from mishandled comment tokens in <script> tags
CVE-2023-39318 Published on September 8, 2023

Improper handling of HTML-like comments in script contexts in html/template
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.

NVD

Products Associated with CVE-2023-39318

stack.watch emails you whenever new vulnerabilities are published in GoLang Go or Canonical Ubuntu Linux. Just hit a watch button to start following.

GoLang Go

Canonical Ubuntu Linux

Affected Versions

Go standard library html/template:

Before 1.20.8 is affected.
Version 1.21.0-0 and below 1.21.1 is affected.

Exploit Probability

EPSS

0.10%

Percentile

26.51%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Go html/template XSS from mishandled comment tokens in <script> tagsCVE-2023-39318 Published on September 8, 2023

Products Associated with CVE-2023-39318

Affected Versions

Exploit Probability

Go html/template XSS from mishandled comment tokens in <script> tags
CVE-2023-39318 Published on September 8, 2023