CVE-2023-24540

Improper handling of JavaScript whitespace in html/template

CVSS 9.8 CRITICALEPSS 1.5%CWE-77

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Produtos afetados

Go standard library · html/template

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://go.dev/cl/491616 https://go.dev/issue/59721 https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU https://pkg.go.dev/vuln/GO-2023-1752 https://security.netapp.com/advisory/ntap-20241115-0008/