Go html/template XSS via improper script handling
CVE-2023-39319 Published on September 8, 2023
Improper handling of special tags within script contexts in html/template
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
Products Associated with CVE-2023-39319
stack.watch emails you whenever new vulnerabilities are published in GoLang Go or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
Go standard library html/template:- Before 1.20.8 is affected.
- Version 1.21.0-0 and below 1.21.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.