CVE-2024-22199

2024-01-1118:15:45

CWE-116

CWE-20

CWE-79

[email protected]

web.nvd.nist.gov

security

vulnerability

template engines

web framework

xss

fiber

cve-2024-22199

nvd

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.9%

JSON

This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the execution of malicious scripts in users’ browsers when visiting affected web pages. The vulnerability has been addressed, the template engine now defaults to having autoescape set to true, effectively mitigating the risk of XSS attacks.

Affected configurations

Vulners

NVD

Node

gofiberfiberRange<3.1.9

VendorProductVersionCPE
gofiberfiber*cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gofiber	fiber	*	cpe:2.3:a:gofiber:fiber::::::::

CNA Affected

[
  {
    "vendor": "gofiber",
    "product": "template",
    "versions": [
      {
        "version": "< 3.1.9",
        "status": "affected"
      }
    ]
  }
]